Upgrade your system

This topic explains how to use the ASMS distributed system upgrade on single appliances, HA/DR clusters, and distributed systems.

Note: Before you start, review:

  • Upgrade prerequisites to ensure that your system complies with the upgrade prerequisites

  • ASMS Known Issues to ensure that you understand pre and post upgrade issues of devices relevant to your organization. You can search "upgrade", upgrade versions number, brand. (Requires AlgoSec portal account)

Tip: You can check your system's compliance with prerequisite requirements by running upgrade readiness checks prior to upgrading your system. First download build files to your system. See Download ASMS software packages. Then, in the algosec_conf menu, enter option 17 System health, and enter 3 Check upgrade readiness.

Perform an distributed ASMS upgrade

Distributed ASMS upgrades are supported for standalone hardware or VM appliances, HA/DR clusters, and distributed systems.

Warning: CTRL + C is not supported during the upgrade process, and upgrades cannot be aborted.

Make sure to reserve time for your system upgrade to complete. For more details, see Downtime requirements for upgrades.

Note: Traffic logs that are sent to ASMS during the upgrade procedure may be discarded.

Warning: Make sure before you upgrade that all machines are on the same day light savings time schedule (all should be on or all should be off).

Warning: If you use FireFlow, upgrade it to the same version as AFA. Login is blocked when versions of AFA and FireFlow do not match.

Do the following:

  1. Determine the builds that you need to upgrade, and download the relevant software packages from the AlgoSec portal. For details, see Download ASMS software packages.

  2. Access your appliance as user: root

    Note: If you are working on clusters or distributed nodes, access the primary node on the master / Central Manager appliance.

    The upgrade is performed across all nodes in the entire system, starting with the Central Manager.

  3. Copy the downloaded software packages to the following directory: /root/AlgoSec_Upgrade/

  4. Optional/Recommended: In addition, copy the downloaded software packages to the /root/AlgoSec_Upgrade/ directory of remote agents and HA/DRs for which communication is slow. For details see Pre-provisioning of upgrade files on remote nodes.

  5. If you aren't already connected to the ASMS Administration interface (algosec_conf), connect now. For details, see Connect to and Utilize the Administration Interface.

  6. In the administration interface main menu, enter 8 to select Upgrade software.

    Note: The system checks your prerequisites to verify that your system is ready for the upgrade. If any of the prerequisite checks fail, relevant errors are displayed to notify you. In such cases, we recommend making changes so that your system complies with the prerequisite requirements, and then starting the upgrade process again.

    The system lists the available builds from the files you saved in step 3, and prompts you to select the build you want to install. For example:

    ************************************

    *** Software upgrade is starting ***

    ************************************

    Select an AlgoSec build to install:

    1. algosec-appliance-3200.0.0-529-el6.x86_64.run

    2. fa-3200.0.0-891.x86_64.run

    3. Run All

    Note: The option numbering may differ depending on your system configuration.

  7. Do one of the following:

    Run all installations together (recommended)

    Select the option to Run All.

    Note: The option to Run all does not appear at all if you have more than one build per packaged saved. In this case, to run all installations together, first remove the earlier builds.

    Run each installation separately

    Enter the line number for the build you want to install. When each upgrade is complete, start the process again to run the next installation. If you do this, install the builds in the following order:

    1. Appliance build
    2. AFA build
    3. FireFlow

    Note: ASMS user interface will not be available until all packages are installed, when FireFlow is enabled.

    The system displays details about the upgrade it is about to perform, and prompts you to approve.

    For example:

    The following AlgoSec packages are going to be upgraded:

    * algosec-appliance-3200.0.0-432-el6.x86_64 TO
    algosec-appliance-3200.0.0-529-el6.x86_64

    * fa-3200.0.0-890.x86_64 TO fa-3200.0.0-891.x86_64

    ********************

    *** Upgrade plan ***

    ********************

    Local node : 10.23.0.41

    Remote Agent nodes: 10.23.0.40

    Runtime Estimation: Up to 80 minutes

    Review the upgrade plan detailed above. Approve plan? (y/n):

  8. Prerequisite checks are run including a check for new reports that may need to be synced.

    Note: If errors are discovered, we recommend you stop now and follow the suggested steps. When done, run the upgrade again by going to the algosec_conf menu, and run option 8 - upgrade software.

  9. If all checks pass, continue by entering y. The upgrade starts.

    If you are working on a distributed system, the upgrade first starts on the local node and then continues with the distributed nodes. The system displays confirmation details as the downloaded packages are copied to the distribution nodes and installed.

    When the upgrade is complete, any clusters are resumed if relevant, and the following message appears:

    *** Software upgrade finished successfully ***

  10. In case of a kernel upgrade on an appliance build, the system also prompts you to reboot. Reboot your system as prompted.  

    Warning: Not rebooting at this stage leaves you with a legacy kernel, which may present security issues.

  1. Login to ASMS. On the DASHBOARD tab, click AlgoSec Reporting Tool. If the link is active and you can open ART, then ART was successfully upgraded. If not, contact AlgoSec support (they will ask you to send them the installation log /var/log/fa-install.log.

External syslog

Note: Java 11 is mandatory for your log collection functionality on your external syslog server in A32.50. In addition, we recommend that your external syslog is running on CentOS 7.

See Upgrade external syslog server to Java 11 and Option 1: To replace an existing external syslog in ASMS.