1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Upgrade
    6. Upgrade enforcers
    7. Linux enforcers

    Linux enforcers

    About upgrading Linux enforcers

    This section describes how to upgrade Linux enforcers:
    • : with just a few clicks you can upgrade one or more enforcers
    • : from a local or jump host with SSH access to the target hosts
    • : allowing integration with the tool of your choice to automate the procedure (Ansible, Chef, Puppet, etcetera)
    If the upgrade fails, the enforcer rolls back automatically to the previous version.
    While the enforcer reboots to complete the upgrade, it ceases to enforce your network rulesets. We recommend configuring the existing Linux firewall on the host to take over while the enforcer reboots to ensure protection.

    From the web interface

    1. Open the Microsegmentation Console web interface, select
      Enforcers
       under
      Manage
      , and navigate to the namespace of the enforcers you wish to upgrade.
    2. Upgradeable enforcers have a chevron icon.
    3. Expand to review the enforcer’s metadata, especially its current version number and the version it will be upgraded to by default.
    4. Either click the chevron of the enforcer you wish to upgrade, or toggle the
      Multiselect
       button to select more than one enforcer as shown below.
    5. After clicking
      Upgrade enforcer
      , select the version number that you wish to upgrade your enforcer(s) to from the
      Upgrade to version
       list box. You can also manually specify the version you want to upgrade the enforcer to by selecting
      Custom Version
      .
      If you have more than one enforcer version to select from, the older version represents the default enforcer version set on the namespace. Refer to Setting a default enforcer version for more information.
    6. Once you have specified the version to upgrade the enforcer to, confirm that the enforcers all have the status
      Connected
      .
      Upgrades require a connection to the Microsegmentation Console.
    7. Click
      Upgrade enforcers
      .
    8. Once the enforcers have upgraded, the
      Last Migration Date
       should display the current date, indicating a successful upgrade.
      If the upgrade fails, expand
      Monitor
       and select
      Logs
      . Check for error upgrade failed or rollback messages.

    Using apoctl

    1. Access a jump or local host equipped with the following.
    2. Construct an apoctl enforcer upgrade command as discussed below.
      You can select the enforcer to upgrade by ID, namespace, or by the their Microsegmentation tags.
      Enforcer ID example
      apoctl enforcer upgrade 60a2a262a3da00000131142e \
                        --target-version latest \
                        --confirm
      Namespace example
      apoctl enforcer upgrade --target-version latest \
                        --namespace $ENFORCER_NS1 $ENFORCER_NS2 \
                        --confirm
      Tag selector example
      apoctl enforcer upgrade --target-version latest \
                        --namespace $ENFORCER_NS1 $ENFORCER_NS2 \
                        --selector '[["@org:group=local","platform=ubuntu"],["@os:host=linux"]]' \
                        --confirm
      Syntax
      apoctl enforcer upgrade <ENFORCER_ID> \
                        --target-version latest|namespace|<semantic-verno> \
                        --namespace $TARGET_NS \
                        --recursive \
                        --selector '[["<tag1>","<tag2"],["<tag3"]]' \
                        --confirm
    3. The enforcer’s status should flip to disconnected and migration running, then back to connected.
      Review the details of the enforcer and confirm that today’s date is shown under Last migration date.

    Manually

    The following procedure upgrades the enforcer to the latest version, or to the default enforcer version, if configured. To upgrade the enforcer to a different version, open the /var/lib/prisma-enforcer/prisma-enforcer.conf file for editing and specify the version you want to upgrade to as the value of CNS_AGENT_ENFORCER_FIRST_INSTALL_VERSION. The version you specify must be available in your Microsegmentation Console. You can use `curl -sSL $TUF_URL/targets.json | jq -r '.signed.targets | to_entries[] | select(.key|startswith("enforcerd/stable")) | .value.custom.version ' ` to check what versions you have available.
    1. Access the target host, such as by establishing an SSH session.
      ssh -i "private-key.pem" ubuntu@ec2-36-200-154-69.us-west-2.compute.amazonaws.com
    2. Stop the enforcer service.
      systemd
      sudo systemctl stop prisma-enforcer
sudo systemctl status prisma-enforcer
      upstart
      sudo stop prisma-enforcer
sudo status prisma-enforcer
      initd
      sudo /etc/init.d/prisma-enforcer stop
sudo /etc/init.d/prisma-enforcer status
    3. Delete the existing enforcer.
      sudo ls /var/lib/prisma-enforcer/downloads
sudo rm -rf /var/lib/prisma-enforcer/downloads/enforcerd
sudo ls /var/lib/prisma-enforcer/downloads
    4. Start the enforcer service.
      systemd
      sudo systemctl start prisma-enforcer
sudo systemctl status prisma-enforcer
      upstart
      sudo start prisma-enforcer
sudo status prisma-enforcer
      initd
      sudo /etc/init.d/prisma-enforcer start
sudo /etc/init.d/prisma-enforcer status
    5. Open the Microsegmentation Console web interface, select
      Enforcers
       under
      Manage
      , and navigate to the namespace of the enforcer.
    6. Confirm that the
      Last Migration Date
       displays the current date, indicating a successful upgrade.
      If the upgrade fails, expand
      Monitor
       and select
      Logs
      . Check for error upgrade failed or rollback messages.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo