Upgrade to Traps 4.2

The Traps™ 4.2 release comprises the Endpoint Security Manager (ESM) Server, the ESM Console, and the Traps agent. Use the following workflow to upgrade the Traps components:
  1. Plan for the upgrade.
    • Prioritize the downtime for each ESM Server according to your environment and the requirements of the agents connected to the ESM Server. Identify the ESM Servers that serve the highest number of agents and plan to stop services on those ESM Servers last and upgrade them first.
    • Ensure that you have the credentials for the user who connects to the database before you begin the upgrade.
      Hint
      : Windows authentication uses a domain account and SQL authentication uses a local SQL account on the database server.
    • Review the Prerequisites for Traps components and adjust your configuration to meet those prerequisites as needed.
  2. Disable service protection on all server-side agents installed on ESM Servers and ESM Consoles.
    Add a new agent settings rule for Agent Tampering Protection and clear the
    Enable Services protection
    option.
    After you apply the agent settings rule, verify that each Traps agent on each ESM component (server and console) receive the new rule (on the Traps console, select
    Policy
    ). If needed,
    Check In Now
    to force Traps to request the latest security policy from the ESM.
  3. Stop services before upgrading the ESM Server software.
    The database can connect to only ESM components that are running the same release. To avoid conflicts during the upgrade process, ensure that services remain disabled until after you successfully upgrade all ESM components.
    If you use a third-party watchdog to monitor services, you may need to perform additional steps to ensure that the watchdog software does not attempt to restart the services.
    From the Services manager,
    Stop
    the
    Endpoint Security Manager
    service on all ESM Servers.
  4. (
    Multiple ESM Server deployments only
    ) Stop services before upgrading the ESM Console software.
    This step is not required for standalone deployments with only a single ESM Server and an ESM Console.
    Stop IIS services on the server on which the ESM Console is installed:
    • Dedicated Server
      —If the ESM Console is the only web application running on the ESM Console server, stop the
      World Wide Web Publishing Service
      . Alternatively, you can stop the service from a command prompt by issuing the
      IISreset /stop
      command.
    • Shared Server
      —If you run additional web applications on your ESM Console server (not recommended), stop the ESM Application Pool service (ESMAppPool) in the Internet Information Services (IIS) Manager to avoid affecting other applications:
      1. Open the IIS Manager.
      2. Expand the server and select
        Application Pools
        .
      3. Right-click
        ESMAppPool
        and
        Stop
        the service.
  5. Back up your database.
    To preserve all data in case the installation is unsuccessful, first ensure that services are down on relevant ESM components and then back up your database.
  6. Upgrade the ESM Server.
    In a deployment with multiple ESM Servers, choose one ESM Server on which to test the upgrade. Resolve any issues encountered during the upgrade before proceeding to upgrade the ESM Console and any additional ESM Servers.
    During the upgrade of the ESM Server, the installer updates the database according to the requirements of the database version. If there is no change between the database versions, the installer does not make any changes to the database.
    To troubleshoot installation issues, use Msiexec to log verbose output to a file.
    1. Launch the ESM Core installer file and click
      Next
      to begin the installation.
    2. Enter the username and password used to connect to the database and then
      Verify
      the connection:
      • Windows authentication, format:
        domain\username
      • SQL authentication format:
        sqlservername\username
    3. If the installer successfully verifies the database connection, click
      OK
      .
    4. Click
      Install
      .
    5. Click
      Finish
      .
  7. Upgrade the ESM Console.
    1. Launch the ESM Console installer file and click
      Next
      to begin the installation.
    2. Enter the username and password to connect to the database and then
      Verify
      the connection.
      • Windows authentication format:
        domain\username
      • SQL authentication format:
        sqlservername\username
    3. If the installer successfully verifies the database connection, Click
      OK
      .
    4. Click
      Install
      .
    5. Click
      Finish
      .
    6. Restart the
      IIS Admin Service
      on the server on which the ESM Console is installed.
    7. Verify that you can log in to the ESM Console.
  8. Upgrade additional ESM Servers.
    For each additional ESM Server, verify the services are disabled (see 3) and then repeat 6 to upgrade the ESM Server software.
  9. Review your Content Updates settings.
    By default, the ESM Server automatically checks for new content updates. To enable this functionality, you must enable SSL/TLS 1.2 communication between the ESM Server and the updates server (updates.paloaltonetworks.com) on port 443. If you choose to disable automated content updates, we recommend that you check the Support Site for the latest content update versions and, if a later content update is available, install it manually.
  10. Delete the agent tampering rule you configured for the ESM components earlier in this workflow.
  11. Upgrade the Traps agents.
    To upgrade the Traps agent on workstations and servers, the easiest method is to configure an action rule to upgrade the software. The ESM uploads the upgrade package to the upgrade server and automatically initiates the upgrade for any target endpoints to which the rule applies. You can also upgrade the software manually by running the MSI installer on the endpoint.
    Upgrading Traps on persistent VDI is the same as a upgrading Traps on a regular endpoint; to upgrade Traps on non-persistent VDI, it is recommended to run the MSI installer from the golden image.
    Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista do not support upgrades from earlier versions using one-time action rules. Refer to Upgrade Considerations for guidelines on using action rules to upgrade the Traps agent.
    Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista endpoints
    Use GPO, SCCM, or another alternate method of deploying the Traps software
    Mac OS, non-Windows XP/2003/2008/Vista endpoints, and persistent VDI
    1. Select
      Settings
      Agent
      Actions
      .
    2. Select the operating system, either
      Windows
      or
      macOS
      .
    3. Select the action manage-hidden-menu-icon.png menu at the top of the page and then
      Add
      an
      Agent Installation
      rule.
    4. Select
      Upgrade from path
      .
    5. (
      Windows only
      ) Enter the
      Uninstall Password
      .
    6. Browse
      to and then
      Upload
      the Client Upgrade Package (ZIP file).
    7. (
      Optional
      ) Specify and
      Conditions
      or target
      Objects
      to which the rule applies.
    8. Save and Apply
      the rule.
    Non-persistent VDI
    1. On the golden image, run the Traps installation file to upgrade the Traps software. Then follow the series of prompts to upgrade the agent.
    2. Mark the golden image as a VDI (see Configure the Master Policy).

Related Documentation