Linux enforcers
About upgrading Linux enforcers
This section describes how to upgrade Linux enforcers:
- : with just a few clicks you can upgrade one or more enforcers
- : from a local or jump host with SSH access to the target hosts
- : allowing integration with the tool of your choice to automate the procedure (Ansible, Chef, Puppet, etcetera)
If the upgrade fails, the enforcer rolls back automatically to the previous version.
While the enforcer reboots to complete the upgrade, it ceases to enforce your network rulesets.
We recommend configuring the existing Linux firewall on the host to take over while the enforcer reboots to ensure protection.
From the web interface
- Open the Microsegmentation Console web interface, selectEnforcersunderManage, and navigate to the namespace of the enforcers you wish to upgrade.
- Upgradeable enforcers have a chevron icon.
- Expand to review the enforcer’s metadata, especially its current version number and the version it will be upgraded to by default.
- Either click the chevron of the enforcer you wish to upgrade, or toggle theMultiselectbutton to select more than one enforcer as shown below.
- After clickingUpgrade enforcer, select the version number that you wish to upgrade your enforcer(s) to from theUpgrade to versionlist box. You can also manually specify the version you want to upgrade the enforcer to by selectingCustom Version.If you have more than one enforcer version to select from, the older version represents the default enforcer version set on the namespace. Refer to Setting a default enforcer version for more information.
- Once you have specified the version to upgrade the enforcer to, confirm that the enforcers all have the statusConnected.Upgrades require a connection to the Microsegmentation Console.
- ClickUpgrade enforcers.
- Once the enforcers have upgraded, theLast Migration Dateshould display the current date, indicating a successful upgrade.If the upgrade fails, expandMonitorand selectLogs. Check for error upgrade failed or rollback messages.
Using apoctl
- Access a jump or local host equipped with the following.
- namespace.administrator privileges in the Microsegmentation namespace of the enforcer(s)
- SSH access to enforcer host(s)
- User account on the enforcer host(s) that can sudo to gain root privileges without entering a password
- Construct an apoctl enforcer upgrade command as discussed below.You can select the enforcer to upgrade by ID, namespace, or by the their Microsegmentation tags.Enforcer ID exampleapoctl enforcer upgrade 60a2a262a3da00000131142e \ --target-version latest \ --confirmNamespace exampleapoctl enforcer upgrade --target-version latest \ --namespace $ENFORCER_NS1 $ENFORCER_NS2 \ --confirmTag selector exampleapoctl enforcer upgrade --target-version latest \ --namespace $ENFORCER_NS1 $ENFORCER_NS2 \ --selector '[["@org:group=local","platform=ubuntu"],["@os:host=linux"]]' \ --confirmSyntaxapoctl enforcer upgrade <ENFORCER_ID> \ --target-version latest|namespace|<semantic-verno> \ --namespace $TARGET_NS \ --recursive \ --selector '[["<tag1>","<tag2"],["<tag3"]]' \ --confirm
- The --recursive flag upgrades enforcers in the current namespace and all of its children namespaces.
- Specifying --target-namespace namespace instructs apoctl to upgrade the enforcers to the default enforcer version of their namespace.
- Run apoctl enforcer upgrade -h to learn more about the options.
Review the details of the enforcer and confirm that today’s date is shown under Last migration date.ManuallyThe following procedure upgrades the enforcer to the latest version, or to the default enforcer version, if configured. To upgrade the enforcer to a different version, open the /var/lib/prisma-enforcer/prisma-enforcer.conf file for editing and specify the version you want to upgrade to as the value of CNS_AGENT_ENFORCER_FIRST_INSTALL_VERSION. The version you specify must be available in your Microsegmentation Console. You can use `curl -sSL $TUF_URL/targets.json | jq -r '.signed.targets | to_entries[] | select(.key|startswith("enforcerd/stable")) | .value.custom.version ' ` to check what versions you have available.- Access the target host, such as by establishing an SSH session.ssh -i "private-key.pem" ubuntu@ec2-36-200-154-69.us-west-2.compute.amazonaws.comStop the enforcer service.systemdsudo systemctl stop prisma-enforcer sudo systemctl status prisma-enforcerupstartsudo stop prisma-enforcer sudo status prisma-enforcerinitdsudo /etc/init.d/prisma-enforcer stop sudo /etc/init.d/prisma-enforcer statusDelete the existing enforcer.sudo ls /var/lib/prisma-enforcer/downloads sudo rm -rf /var/lib/prisma-enforcer/downloads/enforcerd sudo ls /var/lib/prisma-enforcer/downloadsStart the enforcer service.systemdsudo systemctl start prisma-enforcer sudo systemctl status prisma-enforcerupstartsudo start prisma-enforcer sudo status prisma-enforcerinitdsudo /etc/init.d/prisma-enforcer start sudo /etc/init.d/prisma-enforcer statusOpen the Microsegmentation Console web interface, selectEnforcersunderManage, and navigate to the namespace of the enforcer.Confirm that theLast Migration Datedisplays the current date, indicating a successful upgrade.If the upgrade fails, expandMonitorand selectLogs. Check for error upgrade failed or rollback messages.
Recommended For You
Recommended Videos
Recommended videos not found.