Upgrade to Traps 4.2
The Traps™ 4.2 release comprises the Endpoint Security Manager (ESM) Server, the ESM Console, and the Traps agent. Use the following workflow to upgrade the Traps components:
- Plan for the upgrade.
- Prioritize the downtime for each ESM Server according to your environment and the requirements of the agents connected to the ESM Server. Identify the ESM Servers that serve the highest number of agents and plan to stop services on those ESM Servers last and upgrade them first.
- Ensure that you have the credentials for the user who connects to the database before you begin the upgrade.Hint: Windows authentication uses a domain account and SQL authentication uses a local SQL account on the database server.
- Review the Prerequisites for Traps components and adjust your configuration to meet those prerequisites as needed.
- Disable service protection on all server-side agents
installed on ESM Servers and ESM Consoles.Add a new agent settings rule for Agent Tampering Protection and clear the Enable Services protection option.After you apply the agent settings rule, verify that each Traps agent on each ESM component (server and console) receive the new rule (on the Traps console, select Policy). If needed, Check In Now to force Traps to request the latest security policy from the ESM.
- Stop services
before upgrading the ESM Server software.The database can connect to only ESM components that are running the same release. To avoid conflicts during the upgrade process, ensure that services remain disabled until after you successfully upgrade all ESM components.If you use a third-party watchdog to monitor services, you may need to perform additional steps to ensure that the watchdog software does not attempt to restart the services.From the Services manager, Stop the Endpoint Security Manager service on all ESM Servers.
- (Multiple ESM Server deployments only) Stop
services before upgrading the ESM Console software.This step is not required for standalone deployments with only a single ESM Server and an ESM Console.Stop IIS services on the server on which the ESM Console is installed:
- Dedicated Server—If the ESM Console is the only web application running on the ESM Console server, stop the World Wide Web Publishing Service. Alternatively, you can stop the service from a command prompt by issuing the IISreset /stop command.
- Shared Server—If you run additional web applications on your ESM Console server (not recommended), stop the ESM Application Pool service (ESMAppPool) in the Internet Information Services (IIS) Manager to avoid affecting other applications:
- Open the IIS Manager.
- Expand the server and select Application Pools.
- Right-click ESMAppPool and Stop the service.
- Back up your database.To preserve all data in case the installation is unsuccessful, first ensure that services are down on relevant ESM components and then back up your database.
the ESM Server.In a deployment with multiple ESM Servers, choose one ESM Server on which to test the upgrade. Resolve any issues encountered during the upgrade before proceeding to upgrade the ESM Console and any additional ESM Servers.During the upgrade of the ESM Server, the installer updates the database according to the requirements of the database version. If there is no change between the database versions, the installer does not make any changes to the database.To troubleshoot installation issues, use Msiexec to log verbose output to a file.
- Launch the ESM Core installer file and click Next to begin the installation.
- Enter the username and password used to connect to
the database and then Verify the connection:
- Windows authentication, format: domain\username
- SQL authentication format: sqlservername\username
- If the installer successfully verifies the database connection, click OK.
- Click Install.
- Click Finish.
- Upgrade the ESM Console.
- Launch the ESM Console installer file and click Next to begin the installation.
- Enter the username and password to connect to the
database and then Verify the connection.
- Windows authentication format: domain\username
- SQL authentication format: sqlservername\username
- If the installer successfully verifies the database connection, Click OK.
- Click Install.
- Click Finish.
- Restart the IIS Admin Service on the server on which the ESM Console is installed.
- Verify that you can log in to the ESM Console.
- Upgrade additional ESM Servers.
- Review your Content Updates settings.By default, the ESM Server automatically checks for new content updates. To enable this functionality, you must enable SSL/TLS 1.2 communication between the ESM Server and the updates server (updates.paloaltonetworks.com) on port 443. If you choose to disable automated content updates, we recommend that you check the Support Site for the latest content update versions and, if a later content update is available, install it manually.
- Delete the agent tampering rule you configured for the ESM components earlier in this workflow.
- Upgrade the Traps agents.To upgrade the Traps agent on workstations and servers, the easiest method is to configure an action rule to upgrade the software. The ESM uploads the upgrade package to the upgrade server and automatically initiates the upgrade for any target endpoints to which the rule applies. You can also upgrade the software manually by running the MSI installer on the endpoint.Upgrading Traps on persistent VDI is the same as a upgrading Traps on a regular endpoint; to upgrade Traps on non-persistent VDI, it is recommended to run the MSI installer from the golden image.Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista do not support upgrades from earlier versions using one-time action rules. Refer to Upgrade Considerations for guidelines on using action rules to upgrade the Traps agent.Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista endpointsUse GPO, SCCM, or another alternate method of deploying the Traps softwareMac OS, non-Windows XP/2003/2008/Vista endpoints, and persistent VDI
- Select SettingsAgentActions.
- Select the operating system, either Windows or macOS.
- Select the action menu at the top of the page and then Add an Agent Installation rule.
- Select Upgrade from path.
- (Windows only) Enter the Uninstall Password.
- Browse to and then Upload the Client Upgrade Package (ZIP file).
- (Optional) Specify and Conditions or target Objects to which the rule applies.
- Save and Apply the rule.
- On the golden image, run the Traps installation file to upgrade the Traps software. Then follow the series of prompts to upgrade the agent.
- Mark the golden image as a VDI (see Configure the Master Policy).
Upgrade Considerations The following table lists the new features that have upgrade impact. Before you upgrade the ESM and Traps to release 4.2 , make ...
Set Up the Endpoint Infrastructure
Set Up the Endpoint Infrastructure Use the following workflow to set up the Endpoint infrastructure or, to upgrade your existing Endpoint infrastructure, use the workflow ...
Issues Addressed in Traps Endpoint Security Manager 4.2
List of addressed issues in the Traps Endpoint Security Manager 4.2. ...
Traps Endpoint Security Manager Known Issues
Known issues with the Traps Endpoint Security Manager and Traps agent 4.2. ...
Set Up Traps in a VDI Environment
Set Up Traps in a VDI Environment Use the following workflow to set up Traps in a VDI environment. Review the installation considerations and prerequisites ...
Features Introduced in Traps Endpoint Security Manager
Features Introduced in Traps Endpoint Security Manager The following topics describe the new features introduced in Traps Endpoint Security Manager (ESM) and Traps 4.2. For ...
Endpoint Infrastructure Installation Considerations
Endpoint Infrastructure Installation Considerations To install or upgrade the ESM components consider the following: The ESM Server and the ESM Console must run the same ...
Configure the Golden Image for Non-Persistent VDI
Configure the Golden Image for Non-Persistent VDI To avoid starting your VDI with a cache of unknown executable files, you can use the Traps VDI ...
Database Software Requirements
Database Software Requirements The server-side applications require an SQL database that can be either a local database installed on the same server as the ESM ...