Upgrade prerequisites

This topic explains upgrade prerequisites for systems.

Before you start upgrading your ASMS system:

  • Read through the Mandatory and Recommended Prerequisites below to determine that the system is ready for the upgrade
  • Verify that your system nodes are available and connected as shown in the ASMS system architecture page

Tip: You can check your system's compliance with prerequisite requirements by running upgrade readiness checks prior to upgrading your system. First download build files to your system. See Download ASMS software packages. Then, in the algosec_conf menu, enter option 17 System health, and enter 3 Check upgrade readiness.

Mandatory upgrade prerequisites

The following prerequisites are required before upgrading.

Tip: If you have a distributed architecture, make sure that you have the required system specifications on all distributed nodes to prevent errors during upgrades.

The upgrade to version A33.00 is supported only from ASMS A32.60 (A32.60.300-142 or higher).

See Hardware minimum requirements.

(Only for hotfix upgrades): Downtime will be required while all of the nodes in your system are upgraded. The downtime will differ depending on the number and types of nodes you have. Schedule your upgrade at a time where you can afford this downtime.

Tip: Start the upgrade process to view the runtime estimation. If you're not ready to continue, enter n at the relevant prompt.

Once ASMS begins to upgrade your system, CTRL+C is not supported. Upgrades cannot be aborted.

(Only for major version A33.00 upgrade): Downtime will require to approx 1/2 hour longer than for regular upgrades for standalone machine and up to 2 hours for complex environments. Once upgrade starts the system will be locked for user activity. During this time, expect SSH connectivity to be lost for over 10 minutes while the system updates.

10 GB of disk space is required per partition (OS and data) on all appliances:

  • If less than 10 GB of disk space is found, the upgrade process aborts.

  • If there is less than 15 GB of disk space found, the upgrade process presents a warning and enables you to choose whether to continue or not.

    To cancel and run the upgrade later, enter n at the confirmation prompt.

If you have ASMS deployed on virtual machines, generate a fresh backup and cold snapshot before upgrading. For physical machines, download and save a copy of a new installation package for a repurposed AlgoSec hardware appliance of the existing version you are on. Save it to a safe location. For more details, see Backup/Restore and Install ASMS on a repurposed AlgoSec hardware appliance

Recommended upgrade prerequisites

The following prerequisites are not mandatory, but are recommended:

Upgrading VisualFlow overwrites any un‐applied workflow drafts, and discards all un‐applied changes.

If you have un‐applied workflow changes in VisualFlow, we recommend that you apply them before upgrading so that you don't lose any work.

Important: If you are upgrading AFA on HA clusters, and also have FireFlow configured, we highly recommend that you upgrade FireFlow as well.

This is not required for DR clusters.

We recommend that you ensure that all services are running before you perform the upgrade.

To check services:

  • Go to the algosec_conf menu and select option 17 - System health. Select option 1 - Services status. For details, see Test ASMS processes.

If services are down, contact AlgoSec customer support to start them before continuing.

If your AFA is currently using a customized brand_config.xml in /home/afa/.fa/plugins/BRAND, we recommend you contact AlgoSec support before updating your ASMS to verify that all updates will be implemented. See AlgoPedia article.

Make sure to close Change Requests for panorama devices that are in implement or validate stages before you upgrade. Otherwise, special handling will be required after the upgrade, see Existing open Change Requests for Panorama devices

ASMS connects to AlgoSec SaaS services (ObjectFlow, AlgoSec Cloud and AppViz) through HTTP tunnel. Ensure proper HTTP tunnel connectivity in advance of the upgrade by making sure that traffic is allowed through port 8082 to Kafka host IPs in your host region. See AlgoSec Cloud Kafka Hosts, ObjectFlow Kafka Hosts, AppViz Kafka Hosts.

If you have a problem enabling port 8082, you can still upgrade your ASMS, but contact AlgoSec support.

By default, AppViz SaaS-version will be enabled upon upgrading to A33.00. This does not include data migration. Contact AlgoSec support before upgrading to A33.00.

The upcoming AlgoSec ASMS release A33.00 features a significant operating system upgrade from CentOS 7, which is reaching end of life, to Rocky Linux 8. This change includes a shift from Perl version 5.16 to 5.26.3.

Some of our customers have created FireFlow customizations which are code or scripts in Perl that enable FireFlow customized workflows, integrations with external systems, and customized email responses. These may block the upgrade to A33.00 if the code is not compatible with the Perl version used in A33.00.

If you are not already running the latest A32.60 Build, do so now and refer to instructions in the ASMS A32.60 tech docs. See Ensure compatibility of FireFlow customizations.

 

â See also: