Global Protect Which Version

We are running Global Protect 6.0.7, which is still listed as the preferred release with 6.0.8 listed as new.

Question is at what point should we upgrade to 6.1.x or 6.2.x?

Looking at the End-of-Life, it appears that 6.0.x is supported longer than 6.1.x, so we probably want to skip 6.1.x altogether being 6.0.x appears to be on a long-term support lifecycle.

What do you think?

I am guessing at some point we may want to jump to 6.2.x, but the current preferred is 6.2.2, which may be a bit early.

Would you just ride on 6.0.x for a bit longer and when it goes Preferred jump to 6.0.8 and ride the 6.0.8 wagon a bit longer?

https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary#globalprotect

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304

I currently have no issues with the fleet on 6.1.3. Was testing 6.2.2 but have weird slow downs, so that’s off the table for me.

I can see why upgrading might be appealing but I’d be asking myself a few things first:

1 - does the newer version have something I want/need?

2 - is the version I’m on no longer supported?

3 - is the version I’m on unstable?

4 - is the version I’m on carrying some kind of bug or vulnerability I need to mitigate?

Unless you answered “Yes” to one or more of these, just stay as you are. You could be introducing a problem if you’re just upgrading for the sake of it.

Check the PANW known problems list for the version you’re on to check out question 4.
Hope this helps.

600~ users here running 6.1.2 with no issues. Always on config connected to Prisma access.

I am looking at same issues. My users would love the extend time and disconnect prompts which requires I get up to 6.1 or 6.2.

I had been planning on going to the 6.1, then assume I am making another jump before it EOLs but now I am also second guessing and considering just moving to 6.0.7.

Currently no issues with 6.1.3. We’re waiting for a 6.2.3 release, hopefully in the next few weeks/months.

6.2.3 is a dud for me, stays “connecting” and upgrades sometimes don’t even happen. Weird.

I was thinking the same as you late last year. We went with 6.0.8 at the start of the year and haven’t had issues (with ~1,500 users). I suspect 6.0.7 is ‘Preferred’ due to Mac OS issue on 6.0.8, so went with 6.0.8 as we use Windows only for laptops.

I’m on 6.1.3 with no issues.

Some versions of PAN-OS require a minimum version of GP. In my case, I usually push an update every six months or so. Easy to do and easy to roll back for our limited users - about 30 or so.

6.2.2 with AO-VPN. No issues

FYI that GlobalProtect 6.2.2 on macOS fixes a cosmetic bug where the Connections page in Settings shows a big blank instead of the connection information. (6.1.x is impacted. Don’t know about 6.0.x.)

Not a functional issue but makes diagnosing issues a lot harder when the user doesn’t conveniently have that information available.

6.2.2 no real issues.

We are still on 6.0.5, I really should upgrade us soon. We tend to transparently push out the updates but have had some issues with installing the new version and getting stuck in a loop, anyone else had issues? Very intermittent but enough to be noticeable

we want to start rolling out 6.0.8 next week. testing it with around 50 users was showing no bad feedback, however 6.0.8 is still not preferred… i thought it will be preferred until we start when we were planning the rollout…
we have around 4500 windows users using globalprotect - anyone using 6.0.8 and can provide feedback if it is stable in similar environment?

Only issues with 6.1.3 is that MacOS has issues with captive portal detection. Only really any issue if you force an always-on VPN with network restrictions. Outside of that sticking with 6.1.x for the foreseeable future.

That is very true. Many of my upgrades are chasing product life-cycles to be honest. For example I migrated from Cisco IOS-XE 17.3.x to 17.6.x because 17.3.x goes EOL. Chasing that will land me at 17.9.x before the end of this year for sure.

We have been on 6.0.7 since the Sunmer. It is rock-solid stable for us.

likewise. and its inconsistent af. about 20% of the machines i deployed to, so far. i have a case in with them.

We are on 6.0.7 and it is working great for everything right now.

Same here until - there is a vulnerability identified. CVE-2024-5908 GlobalProtect App: Encrypted Credential Exposure via Log Files (paloaltonetworks.com)