For the Windows VPN client, what is the best way to update existing systems that need version updates or security updates installed?
Does the VPN client have an auto update process or can the VPN gateway push updates to clients where the users do not have local admin rights?
Are “hotfixes” handled differently?
GlobalProtect does have a way to silently update once updated and published on the firewall, but i recommend using whatever your software deployment process is. So many times the silent update never happens on an endpoint or even worse, the globalprotect client breaks.
From what I know, the users don’t need admin rights to update. You can either force the update when the VPN connects next time or give users a choice whether or not to update. If you go to the ‘App’ settings and find ‘Allow User to Upgrade GlobalProtect App’ there are various options and one of them is update tansparently.
But if you have a different team that manages the devices, make this their problem and let them handle the update via whatever MDM they use.
I personally use the transparent update on all my deployments and have never had any issues. However if you tunnel everything just make sure the client can reach the portal or resolve the dns name if applicable of the portal. Other than that I prefer this over other options…
All this and more answered in your publically available Palo Alto documentation
We do it live. All currently connected users won’t be affected.
We do both. When we update we do it via intune and sccm. After a few weeks we update the profile to push transparently for any clients that didn’t get it via MDM.
Nothing complex, just find a Preferred version
I look at it as beta testing for end users. The last bug-fixing release, App 6.3.1-c383, can’t be upgraded when you have the 6.3.1 version already installed. TAC proposed uninstalling everything for 1,000 users and installing it from scratch. 
Some of childhood issues were finally fixed , but I’m not sure around it - GPC-20492 - PanGPS process crash .
Some of our endusers are involved in Zscaller private / internet access usage - no one issue were reported with clients it self .
Does PA has plans to finally shutdown Global protect era and move everyone to Prisma client that was developed from scratch with endpoint notifications and other valuable features ?
we are using sccm/intune. I tried ONCE to update using the functionality build in to the gateway. I dont want to talk about.
I second updating using SW deployment process. We update it with InTune or SCCM, easy enough to deploy, upgrade and possible to rollback should you need to. I don’t believe rolling back is supported using gp own deployment method.
That has worked well for me too. I don’t like that the pop-up announcing the update disappears in 0.2 seconds. Users don’t see it and get worried when GP restarts. I have had two, maybe three users over a couple of years who, thinking something was wrong, immediately rebooted their computer when GP restarted and it broke the update. I had to walk them through uninstall/reinstall. But it is a minor complaint.
Curious… Do you mean resolving the portal FQDN after being connected and being seen inside?
We are looking for a more seamless way to update than having IT push client reinstalls for every update.
We will push the initial installation through something like SCCM or Intune, but we want updates/patching to be automatic.
So, what is the solution to update 6.3.1 devices to 6.3.1-c383?
Is there a 6.3.2 or higher version coming soon?
The client trties the portal to get it’s configuration. So yes it will try and resolve the fqdn. See this GlobalProtect client upgrades failing to complete.
InTune or SCCM should be used to update it the built in Palo way is pretty trashy And I’ve experienced issues with it upgrading sometimes just straight up failing. Then you get devices that no longer have it installed or are in a broken State not to mention there really is no automatic update. You still have to go manually grab the new client and make it active even on the gateway for its upgrade to happen. It doesn’t just do it.
I’ve always had success with Intune. InTune is easy package new MSI as win32 app upload it and set it to supersede you existing install make sure you check the auto upgrade check box under the assignment option so it will also update install that were available and not required.
GlobalProtect App 6.3.2 has been released.
That seems really strange to me because why would it need to connect to an External gateway when connected and now being seen inside?
When you’re outside: portal.company.com resolves to a public address how and why would you have that internal as well? Plus you’re already connected to that.
What did you do to solve that?
Very odd, but thanks for the heads up!
exactly my problem, host file modifications will allow this but not scalable at all. A-record in top zone causes errors on the dc. Wish there was a service route specifically for GP client updates we can point to the mgmt interface on the FW itself.