Prisma Access Agent
Staged Rollouts of Prisma Access Agents
Table of Contents
Staged Rollouts of Prisma Access Agents
Use staged rollouts to upgrade Prisma Access Agents after the initial
deployment of the agents.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can stagger the upgrade of Prisma Access Agents using a maintenance routine
called a staged rollout. Staged rollouts enable you to upgrade Prisma Access Agents sequentially on your end users' devices. Using staged rollouts, you can plan the Prisma Access Agent upgrades based on users, user groups, or operating
systems.
Staged rollouts can occur only after the initial deployment
initial deployment or installation of the Prisma Access Agent on your end users' devices.
You can stage the rollout of Prisma Access Agent upgrades by configuring upgrade rings, which consist of batches of end
users' devices that you want to upgrade in a specific order.
You can define up to five upgrade rings containing devices that match the criteria that
you set up. For each ring, you can define up to three matching criteria using these
attributes: username, user group, or operating system. The devices that meet the ring
criteria will be upgraded according to the order of the rings.
As a best practice, set up Ring 0 to limit the
upgrade to a small group of users to ensure that no issues exist before rolling out the
agent upgrades to the rest of your organization.
For example, you can define:
- Ring 0 to include a group of admin users
- Ring 1 to include all macOS users in North America
- Ring 2 to include all Windows users in North America
- Ring 3 to include all macOS users in Europe
- Ring 4 to include all Windows users in Europe
A default ring is available for those devices that missed their assigned rings. The
default ring is not configurable. If you modify the criteria for the other rings after
the staged rollout has begun, the changes will take effect in subsequent upgrade
rollouts.
What Happens During an Upgrade Rollout
When an upgrade is available from Palo Alto Networks, you're notified of the upcoming
rollout in 72 hours in advance of the rollout. The upgrade rollout will begin
automatically at the preappointed time, and the end users' devices will be upgraded
according to the order of the rings they belong to. Any devices that are offline or
not reachable during the staged rollout are placed in the default ring. Likewise,
any new devices that connect to Prisma Access after the stage rollout has
completed, are placed in the default ring. After Rings 0 to 4 have been upgraded,
the devices in the default ring will get upgraded in the order of their assigned
rings.
If you are notified of an upcoming agent upgrade and an active staged rollout is
still in progress, you must stop the rollout before the
new upgrade can be published by Palo Alto Networks.
During a ring upgrade, any device that belongs to the ring will be upgraded, provided
that it has basic local network connectivity, can connect to the service that
manages the agents, and can authenticate with the Prisma Access Agent manager. Each
ring will be active for 72 hours, after which the next ring will begin.
Devices that are in a disconnected state (with no tunnel connection established) can
be upgraded. Devices that are offline (not connected to the service that manages
agents) cannot be upgraded. When a device comes back online and if the rollout is
still active for the ring that the device belongs to, that device will be upgraded
as part of the ring. If the ring is no longer active, the device will be upgraded as
part of the default ring. This upgrade behavior applies to quarantined devices as
well.
After a ring has finished running, the next ring upgrade will begin. After all
upgrades have been completed in Rings 0 to 4, no more staged rollouts will occur in
those rings until a new upgrade is available. Any devices that missed a ring upgrade
or were onboarded after the ring upgrade has completed will be upgraded in the
default ring, in the order of their ring membership.
The following table shows the duration for each stage of the ring upgrade cycle:
| Stage | Duration |
|---|---|
| Agent rollout notification period Administrators are notified
of an upcoming upgrade. The upgrade begins automatically at the
end of the notification period. | 72 hours |
| Active period for each ring The runtime for each upgrade ring
(Ring 0 to Ring 4). | 72 hours per ring |
| Silence period No staged rollout occurs until the next agent
upgrade is available. Devices that missed the stage rollout are
upgraded as part of the default ring. | Until the next upgrade is available from Palo Alto Networks |
If a failure occurs during a ring upgrade, you can stop the staged rollout of Prisma Access Agents to troubleshoot and
resolve any issues before starting the rollout again.