Manage Upgrade Options for the GlobalProtect App

Control how Prisma Access manages the GlobalProtect app. Control the active app versions on the Prisma Access portal. Manage the active GlobalProtect version.
Prisma Access hosts the GlobalProtect app version that macOS and Windows users in your organization can download from the Prisma Access portal. Prisma Access offers several versions of the GlobalProtect app, and you can choose to make one of those versions the active version. You can also manage mobile users' access to the GlobalProtect app, or perform staged upgrades.

Select the Active GlobalProtect App Version

Prisma Access manages the GlobalProtect app version for Windows and macOS users in your organization. While Prisma Access hosts several GlobalProtect app versions, only one of the hosted versions is active. When mobile users log in to the Prisma Access portal, the active version is the one they download and use on their Windows and macOS devices.
The System Status page also provides you information about your current Panorama version, Cloud Services plugin version, and dataplane version. You can receive notifications and alerts on this page when plugin or Panorama versions become end of support (EoS) for use with Prisma Access. See Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions for details.
If your currently-active version is end-of-life, Prisma Access notifies you and requests that you activate a supported version.
You can select different GlobalProtect versions in a multi-tenant deployment. The GlobalProtect app version settings you apply are per tenant and not global; you control the app version on a per-tenant basis.
You can replace the current active version with another hosted version from the Service Setup page by completing the following steps.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    .
  2. Select
    Activate new GlobalProtect App version
    and compare it to the active GlobalProtect version.
    globalprotect-app-upgrade-activate.png
    If your current GlobalProtect version is end-of-life (EoL), a message displays in this area on the Service Setup page; if you receive this message, upgrade your GlobalProtect app version by continuing to the next step.
    globalprotect-app-eol.png
  3. Select the version to which you want to upgrade.
    A window displays to verify your choice.
    globalprotect-app-are-you-sure.png
    After the app has been activated, you receive a success message.
    globalprotect-app-success-message.png
  4. View the System Status page to verify that the GlobalProtect app version you selected as active is the
    Active GlobalProtect App version
    .

Manage Users’ Access to GlobalProtect App Updates

To manage mobile users' access to the active GlobalProtect app version that is hosted by Prisma Access, complete the following steps.
  1. In Panorama, select
    Network
    GlobalProtect
    Portals
    .
  2. Select the
    Mobile_User_Template
    from the
    Template
    drop-down.
  3. Select
    GlobalProtect_Portal
    to edit the Prisma Access portal configuration.
  4. Select the
    Agent
    tab and select the app configuration.
  5. Select the
    App
    tab.
  6. In the
    App Configurations
    area, select a choice in
    Allow User to Upgrade GlobalProtect App
    to specify whether mobile users can upgrade their GlobalProtect app version to the active version that is hosted on Prisma Access and, if they can, whether they can choose when to upgrade:
    • Allow with Prompt
      (default)—Prompt users when a new version is activated and allow users to upgrade their software when it is convenient.
    • Disallow
      —Prevent users from upgrading the app software.
    • Allow Manually
      —Allow users to manually check for and initiate upgrades by selecting
      Check Version
      in the GlobalProtect app.
    • Allow Transparently
      —Automatically upgrade the app software whenever a new version becomes available on the portal.
    • Internal
      —Automatically upgrade the app software whenever a new version becomes available on the portal, but wait until the endpoint is connected internally to the corporate network. This prevents delays caused by upgrades over low-bandwidth connections.

Perform Staged Updates of the GlobalProtect App

If you manage a large organization, you might want to update mobile users to the latest version of the GlobalProtect app in stages. For example, you could assign a smaller group to update their GlobalProtect app before rolling out the update to everybody in your organization. To do so, complete the following task.
  1. If you have not yet created it, create a user group for the first group of users to which you want to roll out the GlobalProtect app update.
    You can use User-ID to map users to groups, or select
    Device
    Local User Database
    User Groups
    to manually create a group.
  2. Create a new GlobalProtect agent configuration to use for the first group of users.
    1. In Panorama, select
      Network
      GlobalProtect
      Portals
      .
    2. Select the
      Mobile_User_Template
      from the
      Template
      drop-down.
    3. Select
      GlobalProtect_Portal
      to edit the Prisma Access portal configuration.
    4. Select the
      Agent
      tab.
    5. Select the
      DEFAULT
      configuration and
      Clone
      it.
      You can also
      Add
      a new configuration; but cloning the existing configuration copies over required information for the new configuration.
    6. Specify a
      Name
      for the configuration.
      gp-app-new-config.png
    7. Select the
      Config Selection Criteria
      tab.
    8. In the
      User/User Group
      area, select the user you created in Step 1.
      gp-app-config-selection-criteria.png
    9. Select the
      App
      tab.
    10. Change
      Allow User to Upgrade GlobalProtect App
      to either
      Allow with Prompt
      or
      Allow Transparently
      .
      Allow with Prompt
      prompts users when a new version is activated and allows them to upgrade their software when it is convenient;
      Allow Transparently
      automatically upgrades the app software whenever a new version becomes available on the portal.
      gp-app-allow-with-prompt.png
    11. Click
      OK
      to save your changes.
  3. Select
    Move Up
    to move your configuration above the default configuration.
    When an app connects, the portal compares the source information in the packet against the agent configurations you have defined. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
    gp-app-move-up.png
  4. Repeat these steps for the
    DEFAULT
    configuration, but change
    Allow User to Upgrade GlobalProtect App
    to
    Disallow
    to prevent users from updating to the latest GlobalProtect app software.
  5. When you want to let the rest of the users update their apps, change
    Allow User to Upgrade GlobalProtect App
    in the
    DEFAULT
    configuration to a selection that allows it (either
    Allow with Prompt
    or
    Allow Transparently
    ).

Recommended For You