Upgrade prerequisites
This topic explains upgrade prerequisites for systems.
Before you start upgrading your ASMS system:
- Read through the Mandatory and Recommended Prerequisites below to determine that the system is ready for the upgrade
- Verify that your system nodes are available and connected as shown in the ASMS system architecture page
Tip: You can check your system's compliance with prerequisite requirements by running upgrade readiness checks prior to upgrading your system. First download build files to your system. See Download ASMS software packages. Then, in the algosec_conf menu, enter option 17 System health, and enter 3 Check upgrade readiness.
Mandatory upgrade prerequisites
The following prerequisites are required before upgrading.
Tip: If you have a distributed architecture, make sure that you have the required system specifications on all distributed nodes to prevent errors during upgrades.
AlgoSec's upgrade process to A32.60 is supported only from A32.20 and A32.50.
If you have an ASMS version running CentOS 6, you must first perform any upgrades required to get to A32.00. For details, see the upgrade procedure in the Installation and Setup Guide for A32.00.
System optimizations in version A32.60 require additional CPU and memory specifications.
Communication between the Central Manager (CM) and Load Distribution Units (LDUs) and between LDUs and LDUs is now encrypted in A32.60 and utilizes ports TCP/9001--9010 (in addition to port TCP/5701).
This is applicable for up to 5 LDUs. Each LDU establishes connections with the CM and the other LDUs. If you have a requirement for more than 5 LDUs, contact support for further assistance. See Networking requirements and recommendations.
Downtime will be required while all of the servers in your system are upgraded. The downtime will differ depending on the number and types of servers you have. Schedule your upgrade at a time where you can afford this downtime.
Tip: Start the upgrade process to view the runtime estimation. If you're not ready to continue, enter n at the relevant prompt.
Once ASMS begins to upgrade your system, CTRL+C is not supported. Upgrades cannot be aborted.
10 GB of disk space is required per partition (OS and data) on all appliances:
-
If less than 10 GB of disk space is found, the upgrade process aborts.
-
If there is less than 15 GB of disk space found, the upgrade process presents a warning and enables you to choose whether to continue or not.
To cancel and run the upgrade later, enter n at the confirmation prompt.
Recommended upgrade prerequisites
The following prerequisites are not mandatory, but are recommended:
If you have ASMS deployed on virtual machines, we recommend generating a fresh backup before upgrading. This isn't relevant for physical appliances, as restoring or rolling back upgrades on physical appliances is not supported.
For more details, see Backup/Restore.
Upgrading VisualFlow overwrites any un‐applied workflow drafts, and discards all un‐applied changes.
If you have un‐applied workflow changes in VisualFlow, we recommend that you apply them before upgrading so that you don't lose any work.
Important: If you are upgrading AFA on HA clusters, and also have FireFlow configured, we highly recommend that you upgrade FireFlow as well.
This is not required for DR clusters.
We recommend that you ensure that all services are running before you perform the upgrade.
To check services:
-
Go to the algosec_conf menu and select option 17 - System health. Select option 1 - Services status. For details, see Test ASMS processes.
If services are down, contact AlgoSec customer support to start them before continuing.
If your AFA is currently using a customized brand_config.xml in /home/afa/.fa/plugins/BRAND, we recommend you contact AlgoSec support before updating your ASMS to verify that all updates will be implemented. See AlgoPedia article.
Make sure to close Change Requests for panorama devices that are in implement or validate stages before you upgrade. Otherwise, special handling will be required after the upgrade, see Existing open Change Requests for Panorama devices
ASMS connects to AlgoSec SaaS services (ObjectFlow, AlgoSec Cloud and AppViz) through HTTP tunnel. Ensure proper HTTP tunnel connectivity in advance of the upgrade by making sure that traffic is allowed through port 8082 to Kafka host IPs in your host region. See AlgoSec Cloud Kafka Hosts, ObjectFlow Kafka Hosts, AppViz Kafka Hosts.
If you have a problem enabling port 8082, you can still upgrade your ASMS, but contact AlgoSec support.
By default, AppViz SaaS-version will be enabled upon upgrading to A32.60. This does not include data migration. Contact AlgoSec support before upgrading to A32.60.
â See also: