After upgrading your system

After upgrading to A32.60 or to a hotfix version of the build, follow the steps in this topic before running your ASMS system.

Check upgrade success

To make sure that the upgrade to A32.60 was successful, perform system sanity checks.

Do the following:

  1. In the algosec_conf main menu, select 17 System health.

  2. Select 1: Check services status to check that basic ASMS processes are running on your machines.

  3. Select 2: Check system health and run a Full check.

Run all firewalls

Run a manual analysis to create an unscheduled report on all on individual devices, groups, and matrices defined in AFA. See Run a manual AFA analysis.

SSO integration (if applicable)

If you used custom UID parsers (in pre-existing SSO environments), you may need additional adjustments to your local code. See Configure a customized UID parser​.

Existing open Change Requests for Panorama devices

If you did not close Change Requests for panorama devices before the upgrade (see Close any open Change Requests for Panorama devices ), note the following:

  • For each Change Request in the Implement stage: Recalculate the work order.

  • For Change Requests in the Validate stage: Since the Change Request from before the upgrade doesn't have a URL Category field but the matched rule does, if you recalculate the validation after the upgrade, the recommended compatibility check will incorrectly show a failure in the Destination/URL Category column.

For Check Point R80 device R80.30 and lower | configure SFTP

For an R80 device version R80.30 and lower, enable SFTP on the device. To enable SFTP, see Check Point SecureKnowledge article sk82281.

For Azure Subscriptions

Note: In A32.60, to see Azure topology in the ASMS map (used for Traffic Simulation Queries and FireFlow automation), you must onboard the Azure Subscription in both ASMS and AlgoSec Cloud.

Do the following:

Case Do this
If you already have all your Azure subscription(s) onboarded to both AlgoSec Cloud and ASMS

  1. Offboard AlgoSec SaaS. Follow instructions here.

  2. Reconnect AlgoSec Cloud to ASMS. Follow instructions here.

  3. Make sure to add the Azure permission in AlgoSec CloudMicrosoft.Network/virtualHubs/effectiveRoutes/action. See HERE.
If you have AlgoSec Cloud, but don't have all your Azure susbscriptions onboarded to both AlgoSec Cloud and ASMS

  1. Offboard AlgoSec SaaS. See instructions here.

  2. Reconnect AlgoSec Cloud to ASMS. See instructions here.

  3. Make sure all your Azure subscriptions are onboarded to ASMS, if required. See instructions here.

  4. Make sure all your Azure subscriptions are onboarded to AlgoSec Cloud, if required. See instructions here.

  5. Make sure to add the Azure permission in AlgoSec CloudMicrosoft.Network/virtualHubs/effectiveRoutes/action. See HERE.
If you don't have AlgoSec Cloud connected to ASMS

  1. Connect between your AlgoSec Cloud tenant and ASMS. See ASMS integration to SaaS services

  2. Make sure all your Azure subscriptions are onboarded to ASMS, if required. See instructions here.

  3. Make sure all your Azure subscriptions are onboarded to AlgoSec Cloud, if required. See instructions here.

  4. Make sure to add the Azure permission in AlgoSec CloudMicrosoft.Network/virtualHubs/effectiveRoutes/action. See HERE.

Ensure compatibility of FireFlow customizations

The upcoming AlgoSec ASMS release A33.00 features a significant operating system upgrade from CentOS 7, which is reaching end of life, to Rocky Linux 8. This change includes a shift from Perl version 5.16 to 5.26.3.

Some of our customers have created FireFlow customizations which are code or scripts in Perl that enable FireFlow customized workflows, integrations with external systems, and customized email responses. These may block the upgrade to A33.00 if the code is not compatible with the Perl version used in A33.00.

To ensure a smooth transition and maintain functionality of your FireFlow customizations in A33.00, it may be necessary to make some adjustments. To assist you in this process, we are introducing the Compatibility Check Tool that runs automatically as part of the latest hotfix build (A32.60 Build A32.60.300-142 (released May 21, 2024) and above). This tool is designed to efficiently identify and help you address potential Perl-related compatibility issues with your FireFlow customizations in advance of the release of A33.00.

Tip: If you received this message at end of the upgrade to the latest HF build:

Compatibility issues were found in customization scripts on ip <node_ip> that will impact upgrade to ASMS version A33.00.
These issues have no impact on A32.60 but must be fixed before upgrading to A33.00.

This indicates that your customizations will need to be modified prior to upgrading ASMS A33.00, to ensure that your custom solutions remain functional and optimized for the updated operating environment.

Following the upgrade to latest HF build, you can see details of the FireFlow customizations compatibility issues in /home/afa/customizations_check/check-perl-syntax.log.

Do the following:

  1. After upgrading to the latest A32.60 Hotfix (HF), you can find a log file named check-perl-syntax.log located at /home/afa/customizations_check/check-perl-syntax.log. This file details any compatibility issues detected with your FireFlow customizations. By reviewing this log file, you can identify potential compatibility issues with your FireFlow customizations before upgrading to ASMS A33.00.

    The log file is easy to follow:

    The log file is easy to follow:

    • "Processing file:" followed by a filename indicates the script being scanned.

    • "Syntax OK" means the script has no detected issues.

    • Error messages: Specific error messages detail the problem and its location (line number) within the script.

    Copy 
    Processing file: myperl.pm
    Can't use an array as a reference at myperl.pm line 640.
    Processing file: Base.pm
    Can't use 'defined(@array)' (Maybe you should just omit the defined()?) at Base.pm line 365.
    Processing file: Scrips_ID_99_CustomCommitCode.pl
    Smartmatch is experimental at /usr/share/fireflow/local/lib/RT/Tickets_Vendor.pm line 348.
    Smartmatch is experimental at /usr/share/fireflow/local/lib/RT/Tickets_Vendor.pm line 354.
    Scalar value @arrayOfDNs[0] better written as $arrayOfDNs[0] at /usr/share/fireflow/local/etc/site/lib/PS/PS_LDAP.pm line 47.
    Can't use a hash as a reference at Scrips_ID_99_CustomCommitCode.pl line 25.
    Processing file: Scrips_ID_99_CustomIsApplicableCode.pl
    Scrips_ID_99_CustomIsApplicableCode.pl syntax OK
    Processing file: Scrips_ID_99_CustomPrepareCode.pl
    Scrips_ID_99_CustomPrepareCode.pl syntax OK

    The log format for database customization files is slightly different. Here's an example:

    Processing: user_customizations_2024-06-05-074621/db_customizations/scrips/Scrips_ID_97_CustomCommitCode.pl

    Experimental push on scalar is now forbidden at Scrips_ID_97_CustomCommitCode.pl line 201, near "$fwID)"

    Scrips_ID_97_CustomCommitCode.pl had compilation errors.

  2. Update AlgoSec with your current FireFlow compatibility status by filling out this ASMS A33.00 FireFlow Customizations Compatibility Questionnaire. AlgoSec Technical Services will update customizations.

  3. When compatibility issues are found, ensure you have backups and your current configurations are documented.