Identity-Based Microsegmentation Guide
LAST UPDATED: November 8, 2021

Linux enforcers

About upgrading Linux enforcers

This section describes how to upgrade Linux enforcers:

  • From the web interface: with just a few clicks you can upgrade one or more enforcers
  • Using apoctl: from a local or jump host with SSH access to the target hosts
  • Manually: allowing integration with the tool of your choice to automate the procedure (Ansible, Chef, Puppet, etcetera)

If the upgrade fails, the enforcer rolls back automatically to the previous version.

IMPORTANT

While the enforcer reboots to complete the upgrade, it ceases to enforce your network rulesets. We recommend configuring the existing Linux firewall on the host to take over while the enforcer reboots to ensure protection.

From the web interface

  1. Open the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the namespace of the enforcers you wish to upgrade.

  2. Upgradeable enforcers have a chevron icon.
    Enforcer with chevron

  3. Expand to review the enforcer’s metadata, especially its current version number and the version it will be upgraded to by default. Enforcer version review

  4. Either click the chevron of the enforcer you wish to upgrade, or toggle the Multiselect button to select more than one enforcer as shown below. Enforcer multiselect

  5. After clicking Upgrade enforcer, select the version number that you wish to upgrade your enforcer(s) to from the Upgrade to version list box. You can also manually specify the version you want to upgrade the enforcer to by selecting Custom Version.

    TIP

    If you have more than one enforcer version to select from, the older version represents the default enforcer version set on the namespace. Refer to Setting a default enforcer version for more information.

  6. Once you have specified the version to upgrade the enforcer to, confirm that the enforcers all have the status Connected. Upgrades require a connection to the Microsegmentation Console.

  7. Click Upgrade enforcers.

  8. Once the enforcers have upgraded, the Last Migration Date should display the current date, indicating a successful upgrade.

    TIP

    If the upgrade fails, expand Monitor and select Logs. Check for error upgrade failed or rollback messages.

Using apoctl

  1. Access a jump or local host equipped with the following.

    • apoctl installed and configured.
    • namespace.administrator privileges in the Microsegmentation namespace of the enforcer(s)
    • SSH access to enforcer host(s)
    • User account on the enforcer host(s) that can sudo to gain root privileges without entering a password
  2. Construct an apoctl enforcer upgrade command as discussed below. You can select the enforcer to upgrade by ID, namespace, or by the their Microsegmentation tags.

    apoctl enforcer upgrade 60a2a262a3da00000131142e \
                            --target-version latest \
                            --confirm
    
    apoctl enforcer upgrade --target-version latest \
                            --namespace $ENFORCER_NS1 $ENFORCER_NS2 \
                            --confirm
    
    apoctl enforcer upgrade --target-version latest \
                            --namespace $ENFORCER_NS1 $ENFORCER_NS2 \
                            --selector '[["@org:group=local","platform=ubuntu"],["@os:host=linux"]]' \
                            --confirm
    
    apoctl enforcer upgrade <ENFORCER_ID> \
                            --target-version latest|namespace|<semantic-verno> \
                            --namespace $TARGET_NS \
                            --recursive \
                            --selector '[["<tag1>","<tag2"],["<tag3"]]' \
                            --confirm
    

    NOTE

    • Omit --confirm to just print what your command instructs apoctl to do.
    • The --recursive flag upgrades enforcers in the current namespace and all of its children namespaces.
    • Specifying --target-namespace namespace instructs apoctl to upgrade the enforcers to the default enforcer version of their namespace.
    • Run apoctl enforcer upgrade -h to learn more about the options.

  3. The enforcer’s status should flip to disconnected and migration running, then back to connected. Review the details of the enforcer and confirm that today’s date is shown under Last migration date.

Manually

TIP

The following procedure upgrades the enforcer to the latest version, or to the default enforcer version, if configured. To upgrade the enforcer to a different version, open the /var/lib/prisma-enforcer/prisma-enforcer.conf file for editing and specify the version you want to upgrade to as the value of CNS_AGENT_ENFORCER_FIRST_INSTALL_VERSION. The version you specify must be available in your Microsegmentation Console. You can use curl -sSL $TUF_URL/targets.json | jq -r '.signed.targets | to_entries[] | select(.key|startswith("enforcerd/stable")) | .value.custom.version ' to check what versions you have available.

  1. Access the target host, such as by establishing an SSH session.

    ssh -i "private-key.pem" ubuntu@ec2-36-200-154-69.us-west-2.compute.amazonaws.com
    
  2. Stop the enforcer service.

    sudo systemctl stop prisma-enforcer
    sudo systemctl status prisma-enforcer
    
    sudo stop prisma-enforcer
    sudo status prisma-enforcer
    
    sudo /etc/init.d/prisma-enforcer stop
    sudo /etc/init.d/prisma-enforcer status
    

  3. Delete the existing enforcer.

    sudo ls /var/lib/prisma-enforcer/downloads
    sudo rm -rf /var/lib/prisma-enforcer/downloads/enforcerd
    sudo ls /var/lib/prisma-enforcer/downloads
    
  4. Start the enforcer service.

    sudo systemctl start prisma-enforcer
    sudo systemctl status prisma-enforcer
    
    sudo start prisma-enforcer
    sudo status prisma-enforcer
    
    sudo /etc/init.d/prisma-enforcer start
    sudo /etc/init.d/prisma-enforcer status
    

  5. Open the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the namespace of the enforcer.

  6. Confirm that the Last Migration Date displays the current date, indicating a successful upgrade.

    TIP

    If the upgrade fails, expand Monitor and select Logs. Check for error upgrade failed or rollback messages.