Prisma Access Browser Update Mechanics
Focus
Focus
Prisma Access Browser

Prisma Access Browser Update Mechanics

Table of Contents

Prisma Access Browser Update Mechanics

Learn about the Prisma Access Browser update mechanics.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
  • Superuser or Prisma Access Browser role

Online Installer

The online installer is a stub that fetches the latest version of the Prisma Access Browser and installs it.
The online installer always fetches the latest version of the browser and will install updates based on the “Deployments” settings in the policy manager under “Browser Customizations.” Upgrade requirements and scheduling can be configured for Users and User Groups by making policy adjustments.
The installers are available here:
MSI
The MSI installer uses the standard Microsoft Windows switches for silent installation.
EXE
The exe installer uses the following switches for silent installation: /silent /install
MAC

Offline Installer

Windows
Browser version 125.76.2791.7 and prior
For Windows systems, the offline installer contains all the bits required for the release, but does not contain the update service required for full browser upgrades. This version does, however, update the engine at regular intervals. You need to maintain the version installed on your endpoints using the appropriate management tools. Versions over 60-days old are not supported. For more information, please refer to the End-of-Life policy.
After version 125.76.2791.7
For Windows systems, the offline installer contains all the bits required for the release corresponding to its version number. Using the MSI switches described below, you can enable installation of the browser update service. The installation will install the version of the browser marked by the file version number. If an older installation is used, the browser will update itself after the user logs in and will use the update policy that you configured in the Management console. Versions over 60-days old are not supported. For more information, please refer to the End-of-Life policy.
MSI options
Msiexec /i <path-to-msi> WITH_UPDATED=true (default is false) PIN_BROWSER_VERSION=true (default is false)
RSS Feed
MACOn mac devices, the offline installer is a universal installer with all the current bits of the browser and the latest engine.
RSS Feed

Engine Updates

All versions of the browser will update the engine component. This is required for browser functionality and to get the latest updates, fixes, and policies.

Browser

MAC
macOS browser updates are generated within the user context (not a separate updater). Updates will only occur when the Browser is open.
WINDOWS
Windows installations (with autoupdate), install both the Browser and an updater service agent. This agent runs separately from the Browser and is triggered by a System Scheduled Task.
When a machine is running, even without a user logged in, the scheduled task will make periodic update attempts to check if an update exists. If the check is successful, it will download a Browser update that will be applied on the next Browser start/restart. The amount of time the user can delay the update and the update schedule window are configurable via a Browser Customization policy in the management console.
When the user accesses the “About” page, the update service will manually attempt to perform an update. In this case, the Browser polls the update service (COM Server) and reports to the user if an update is available to install. A user can't force an update that is beyond the version configured by the currently applied policy.
For managed deployments, the MSI deployment should happen at a system level, therefore proxies available to system-level processes will be used. It's possible that a download mitigation action will occur if system-level traffic is blocked. Validate nominal updates or create an exception for the browser with this enabled.
Offline installers can be provided for exact versions of the browser and are posted in the RSS feed listed above.
  1. The Browser will poll for new updates every few hours.
  2. The Browser will connect to: https://updates.talon-sec.com
  3. Full Browser updates contain the latest engine within it.
  4. If a policy is available (and the user has logged in), The Browser will install updates based on the policy (if configured)
  5. If a policy isn't updated (either because the user has not logged in or the user had not logged in recently and the policy is stale), the service will update the browser to the version that is in written in the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Palo Alto Networks\PrismaAccessBrowserPolicies]
"TargetVersionPrefix{DFEF2477-4F0E-454B-BC0D-03CE61074E4C}"="1.1.1.1"
  1. New browser updates are a full install, which is approximately ~128 mb unpacked.