Upgrade Prisma Cloud

You can upgrade Prisma Cloud without losing any of your data or configurations. Upgrade Console first. After upgrading Console, upgrade your Defenders, and other Prisma Cloud components.
Before upgrading, check the
Breaking changes
section in the release notes to see if there are any special instructions or requirements.
Palo Alto Networks releases new versions of Prisma Cloud on a regular basis. When a new release is available, a banner is displayed at the top of Compute Console UI, with a link to trigger the upgrade process. Click the link to upgrade Console.
update_saas_console.png
By default, Compute Console will upgrade all your Defenders for you. If you disable automatic Defender upgrades, you must manually upgrade them yourself. Log into Console and go to
Manage > Defenders > Manage
to see a list of all your deployed Defenders.

Overview of the upgrade process

First upgrade Console. Next, upgrade your Defenders. Finally, upgrade all other Prisma Cloud components, such as the Jenkins plugin. The upgrade process is vastly simplified when automatic Defender upgrades is enabled (it’s enabled by default).
The steps in the upgrade process are:
  1. Upgrade Console.
  2. Upgrade all deployed Defenders.
    • If Defender auto-upgrade is enabled — Console will upgrade deployed Defenders for you. If Console fails to upgrade one or more Defenders, it displays a banner at the top of the UI. If you’ve created an alert for Defender health events, Console emits a message on the alert channel for any Defender it fails to upgrade. Manually upgrade any Defenders that Console could not auto-upgrade.
    • If Defender auto-upgrade is disabled — Manually upgrade all deployed Defenders.
  3. Validate that all deployed Defenders have been upgraded.
    1. Review deployed Defenders and DaemonSets under
      Manage > Defenders > Manage
      .
    2. Filter the the
      Status
      column by
      Upgrade
      .
    3. If any Defenders have the
      Upgrade
      status, manually upgrade them.
  4. Manually upgrade all other Prisma Cloud Compute components, such as the Jenkins plugin, so that their versions exactly match Console’s version.

Version numbers of installed components

The currently installed version of Console is displayed in the bell menu.
upgrade_compute_version.png
The versions of your deployed Defenders are listed under
Manage > Defenders > Manage
:
upgrade_defender_version.png

Prisma Cloud Compute components

The versions of all deployed components should match exactly. To support the multi-step upgrade process, older versions of Prisma Cloud components can continue to interoperate with newer versions of Console in a limited way. Plan to upgrade all Prisma Cloud components as soon as possible.
After you upgrade Console, upgrade the following components:
  • Defenders. Console can automatically upgrade most Defender types for you. App-embedded Defenders and PCF Defenders (also known as Twistlock for Pivotal Platform) must be manually upgraded.
  • Jenkins plugin.
  • twistcli.

Version mismatches

Console interoperates with older components on a best-effort basis. When older components interact with Console, Console displays some indicators in the dashboard:
  • In
    Monitor > Events
    , any audits generated by older Defenders are marked with an out-of-date indicator. Links to the rules that triggered the audit are disabled (explanation follows).
  • In
    Monitor > Vulnerabilities
    and
    Monitor > Compliance
    , any scan reports generated by older components (Defender registry scanners, Jenkins plugins, twistcli) are marked with an out-of-date indicator.
Although older Defenders can interoperate with newer Consoles, their operation is restricted. Older Defenders fully protect your nodes using the policies and settings most recently cached before upgrading Console. They can emit audits to Console and local logs, including syslog. However, they cannot access any API endpoint other than the upgrade endpoint, and they cannot share any new data with Console. No new policies or settings can be pushed from Console to older Defenders. When Defender is in this state, its status is shown as 'Upgrade needed' in
Manage > Defenders > Manage
. To restore older Defenders to a fully operation state, upgrade them so that their versions match Console’s version.

Defender auto-upgrade support

Most Defender types can be auto-upgraded. A handful must still be manaully upgraded. The following table summarizes the Defender types, and which ones can be auto-upgraded.
Defender type
Auto-upgrade
Container Defender, which includes:
  • Single Container Defenders
  • Cluster Container Defenders
    • DaemonSets (Kubernetes, OpenShift)
    • Swarm global service
    • DC/OS app
Y
Serverless Defender
Y* (see Serverless Dedender auto-protect)
App embedded Defender
N
PCF Defender
N
Host Defender
Y

Enabling Defender auto-upgrade

By default, Defender auto-upgrade is enabled. You can check and change the setting in Console.
  1. Open Prisma Cloud Compute Console.
  2. Go to
    Manage > Defenders > Manage
    .
  3. Click on
    Advanced Settings
    .
  4. Set
    Automatically upgrade Defenders
    to
    On
    or
    Off
    .
    auto_upgrade_defenders.png

Recommended For You