Linux enforcers

About upgrading Linux enforcers

This section describes how to upgrade Linux enforcers:
  • : with just a few clicks you can upgrade one or more enforcers
  • : from a local or jump host with SSH access to the target hosts
  • : allowing integration with the tool of your choice to automate the procedure (Ansible, Chef, Puppet, etcetera)
If the upgrade fails, the enforcer rolls back automatically to the previous version.
While the enforcer reboots to complete the upgrade, it ceases to enforce your network rulesets. We recommend configuring the existing Linux firewall on the host to take over while the enforcer reboots to ensure protection.

From the web interface

  1. Open the
    Network Security
    section of the Prisma Cloud web interface, select
    Agent
    under
    Manage
    , and navigate to the namespace of the enforcers you wish to upgrade.
  2. Expand to review the enforcer’s metadata, especially its current version number and the version it will be upgraded to by default.
  3. Either click the chevron of the enforcer you wish to upgrade, or toggle the
    Multiselect
    button to select more than one enforcer as shown below.
  4. After clicking
    Upgrade enforcer
    , select the version number that you wish to upgrade your enforcer(s) to from the
    Upgrade to version
    list box. You can also manually specify the version you want to upgrade the enforcer to by selecting
    Custom Version
    .
    If you have more than one enforcer version to select from, the older version represents the default enforcer version set on the namespace. Refer to Setting a default enforcer version for more information.
  5. Once you have specified the version to upgrade the enforcer to, confirm that the enforcers all have the status
    Connected
    . Upgrades require a connection to the Microsegmentation Console.
  6. Click
    Upgrade enforcers
    .
  7. Once the enforcers have upgraded, the
    Last Migration Date
    should display the current date, indicating a successful upgrade.
    If the upgrade fails, expand
    Monitor
    and select
    Logs
    . Check for error upgrade failed or rollback messages.

Using apoctl

  1. Access a jump or local host equipped with the following.
  2. Construct an apoctl enforcer upgrade command as discussed below. You can select the enforcer to upgrade by ID, namespace, or by the their Microsegmentation tags.
    Enforcer ID example
    apoctl enforcer upgrade 60a2a262a3da00000131142e \ --target-version latest \ --confirm
    Namespace example
    apoctl enforcer upgrade --target-version latest \ --namespace $ENFORCER_NS1 $ENFORCER_NS2 \ --confirm
    Tag selector example
    apoctl enforcer upgrade --target-version latest \ --namespace $ENFORCER_NS1 $ENFORCER_NS2 \ --selector '[["@org:group=local","platform=ubuntu"],["@os:host=linux"]]' \ --confirm
    Syntax
    apoctl enforcer upgrade <ENFORCER_ID> \ --target-version latest|namespace|<semantic-verno> \ --namespace $TARGET_NS \ --recursive \ --selector '[["<tag1>","<tag2"],["<tag3"]]' \ --confirm
  3. The enforcer’s status should flip to disconnected and migration running, then back to connected.
    Review the details of the enforcer and confirm that today’s date is shown under Last migration date.

Manually

The following procedure upgrades the enforcer to the latest version, or to the default enforcer version, if configured. To upgrade the enforcer to a different version, open the /var/lib/prisma-enforcer/prisma-enforcer.conf file for editing and specify the version you want to upgrade to as the value of CNS_AGENT_ENFORCER_FIRST_INSTALL_VERSION. The version you specify must be available in your Microsegmentation Console. You can use `curl -sSL $TUF_URL/targets.json | jq -r '.signed.targets | to_entries[] | select(.key|startswith("enforcerd/stable")) | .value.custom.version ' ` to check what versions you have available.
  1. Access the target host, such as by establishing an SSH session.
    ssh -i "private-key.pem" ubuntu@ec2-36-200-154-69.us-west-2.compute.amazonaws.com
  2. Stop the enforcer service.
    systemd
    sudo systemctl stop prisma-enforcer sudo systemctl status prisma-enforcer
    upstart
    sudo stop prisma-enforcer sudo status prisma-enforcer
    initd
    sudo /etc/init.d/prisma-enforcer stop sudo /etc/init.d/prisma-enforcer status
  3. Delete the existing enforcer.
    sudo ls /var/lib/prisma-enforcer/downloads sudo rm -rf /var/lib/prisma-enforcer/downloads/enforcerd sudo ls /var/lib/prisma-enforcer/downloads
  4. Start the enforcer service.
    systemd
    sudo systemctl start prisma-enforcer sudo systemctl status prisma-enforcer
    upstart
    sudo start prisma-enforcer sudo status prisma-enforcer
    initd
    sudo /etc/init.d/prisma-enforcer start sudo /etc/init.d/prisma-enforcer status
  5. Open the
    Network Security
    section of the Prisma Cloud web interface, select
    Agent
    under
    Manage
    , and navigate to the namespace of the enforcer.
  6. Confirm that the
    Last Migration Date
    displays the current date, indicating a successful upgrade.
    If the upgrade fails, expand
    Monitor
    and select
    Logs
    . Check for error upgrade failed or rollback messages.

Recommended For You