Upgrading ESA with DSG
Pre-requisites
All the ESAs must be on v9.2.0.0.
All the DSGs must be on v3.2.0.0 HF-1.
ESAs and DSGs must be in a single TAC.
Ensure there is good network connectivity between the machine where DSG is going to be installed and all the ESAs, and they can communicate with each other.
Ensure ESAs in both Primary site - ESA P1, S1, S2 and DR site - ESA S3, S4, S5 are up and running.
Ensure all the ESAs in the cluster and DSGs in the cluster, and that ESAs and DSGs are reachable using hostname or FQDN.
Important: The ESA v10 only supports protectors having the PEP server version 1.2.2+42 and later. Hence, before proceeding with ESA upgrade, check for the installed protector version. If the protector version is below 1.2.2+42, then it would lead to failure of ESA upgrade. If the protector version is below 1.2.2+42, then remove the registered protectors from Policy Dashboard. For more information on instructions to identify installed protector version, refer documentation section Identifying the protector version.
Canary Upgrade
The Canary upgrade involves re-imaging the existing DSG instances to the newer version one by one using ISO or cloud image as applicable. This could be performed by re-using the same instance or spawning a new instance for DSG and terminating the older version DSGs.
Important: There will be downtime of DSGs during upgrade. However, the downtime can be minimized by spawning the fresh DSGs of version 3.3.0.0 in parallel to upgrading ESAs.
This section explains the upgrade flow of ESAs and DSGs only. It does not consider the presence of 9.1.0.0 protectors apart from DSG.
If DSGs are installed along with other 9.1 protectors, then refer Upgrading ESA with DSGs and 9.1 Protectors.
Canary upgrade is the prescribed way of upgrading DSGs. For alternative ways of upgrading DSGs, refer Upgrade process.
Perform the following steps to upgrade DSGs with ESAs.
1. Pre-Upgrade Steps
Backup all ESAs.
- On-Premise: Perform a full OS backup of all ESAs at both sites.
- Cloud Premises: Take snapshots of each instance to ensure a restore point is available should any issues arise during the upgrade process. For more information about backup, refer Backup the appliance OS for on-premise ESAs and section 9.1.3 Backing Up on Cloud Platforms.
Delete TAC replication job from Primary ESA P1.
Follow the below steps to disable TAC replication scheduled task.
On the Primary ESA P1’s Web UI, navigate to System > Task Scheduler.
Click on the TAC replication scheduled task.
Click on Remove.
Click on “Apply” button to apply the changes.
2. Upgrading the ESAs in DR Site
Remove all the ESAs at the DR site from the TAC.
It is required to remove all the ESAs at the DR site from the TAC before proceeding with upgrading them.
Upgrade ESAs at the DR Site sequentially. Commence the upgrade by focusing on the ESAs located at the DR site. Follow the below sequence:
Upgrade ESA S3
Upgrade ESA S4
Upgrade ESA S5
Prerequisites to understand about the pre-requisites.
Upgrade Paths to ESA v10 to understand upgrade paths to ESA v10.
Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.0.1.
Upgrading from v10.0.1 for steps to upgrade from ESA v10.0.1 to v10.1.0.
Post Upgrade steps to perform post upgrade of ESA.
Ensure each ESA is fully upgraded before proceeding to the next ESA.
3. Post Upgrade Validation of ESAs in DR Site
Conduct thorough validation of the upgraded ESAs at the DR site to confirm operational integrity and successful upgrade. Perform following validations in all the ESAs.
Login to ESA Web UI.
Check for correctness of the version under About.
Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.
Navigate to Settings > Users and check that External Groups settings are intact.
Navigate to Audit Store > Cluster Management and check if ESA S3, ESA S4 and ESA S5 are visible under Nodes tab and Cluster Status is shown as GREEN.
4. Pre-Upgrade Steps for DSG
Remove existing DSGs from TAC. It is required to remove all the DSGs from the TAC before proceeding with further upgrade steps.
As mentioned at the start of this section, it is expected to have downtime of DSGs. Hence, at this step, stop all the existing DSGs.
5. Upgrading the ESAs in Primary Site
Remove all the ESAs at the Primary site from the TAC before upgrading them.
Upgrade ESAs at the Primary Site sequentially.
Follow the below sequence for upgrading all the ESAs in the primary site:
Upgrade ESA P1
Upgrade ESA S1
Upgrade ESA S2
Prerequisites to understand about the pre-requisites.
Upgrade Paths to ESA v10 to understand upgrade paths to ESA v10.
Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.0.1.
Upgrading from v10.0.1 for steps to upgrade from ESA v10.0.1 to v10.1.0.
Post Upgrade steps to perform post upgrade of ESA.
Ensure each ESA is fully upgraded before proceeding to the next ESA.
6. Post Upgrade Validation of ESAs in Primary Site
Validate Primary Site ESAs Post Upgrade.
Conduct thorough validation of the upgraded ESAs at the Primary site to confirm operational integrity and successful upgrade.
Perform following validations in all the ESAs.
Login to ESA Web UI.
Check for correctness of the version under About.
Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.
Navigate to Settings > Users and check that External Groups settings are intact.
Navigate to Audit Store > Cluster Management and check if ESA P1, ESA S1 and ESA S2 are visible under Nodes tab and Cluster Status is shown as GREEN.
7. Installing and Configuring the DSGs
Create fresh DSGs of version 3.3.0.0. Perform this step in parallel to Upgrading the ESAs in Primary Site. This is to minimize the DSG downtime. Create DSGs v3.3.0.0 using ISO or cloud image as applicable.
For more information about installing DSG 3.3.0.0, refer Installing the DSG.
Create a new TAC with re-imaged DSGs. Starting DSG v3.3.0.0, ESAs and DSGs should be separate TAC. Hence, create a new TAC with DSGs re-imaged at above step.
Upload and install DSG Management Server certificates in each of the DSGs individually. Ensure the SAN field in each of the certificates has the hostname and FQDN of the DSG node it is going to be installed in.
8. Creating TAC of all ESAs in Primary and DR sites
Join all the Secondary ESAs to the TAC from both sites. Join all the secondary ESAs that is, ESA S1, ESA S2 in Primary site and all the ESAs in DR site, that is, ESA S3, ESA S4 and ESA S5 to the existing TAC created in the above step 1 with Primary ESA P1.
9. Perform ESA Communication
Perform ESA communication from all the DSGs. For all the options in ESA communication except for Update host settings for DSG, provide GTM IP, hostname or FQDN as applicable. For more information about performing set ESA communication, refer Setting up ESA communication.
9.1 Update Host Settings for DSG
For Update host settings for DSG in ESA communication, provide Primary ESA P1’s FQDN or hostname as applicable. For more information about performing set ESA communication, refer Setting up ESA communication.
10. Install DSG Patch on all the ESAs in the Primary and DR site
Install DSG 3.3.0.0 patch on all ESAs in the Primary and DR site, that is, ESA P1, S1, S2, S3, S4, S5.
10.1 Provide DSG Details During Patch Installation
During the prompt for DSG details during patch installation, provide any of the running DSG’s FQDN or hostname in TAC. Ensure the same DSG FQDN/hostname is provided during DSG patch installation in all other ESAs.
11. Perform Post Installation Steps in All ESAs in the Primary and DR site
For information about performing post installation steps in all the ESAs, refer Post installation/upgrade steps.
12. Check DSG’s Cluster Page in ESA
Check if all the DSGs installed are listed in under Cloud Gateway > Cluster page in ESA.
13. Deploy Rulesets
Click on the Deploy button from the DSG’s Cluster page in ESA P1 to deploy rulesets in all the DSGs present in the TAC. For more information related to deploying rulesets, refer Deploying configurations to the cluster.
14. Check Health Status of DSGs from Cluster Page
After the deployment of rulesets is successful, check the health status of DSGs in TAC from the DSG’s Cluster page in ESA P1. All the DSGs should show health status as green.
15. Check for DSG nodes status in Policy Management Dashboard
Login to ESA P1 Web UI.
Navigate to Policy Management in ESA P1 Web UI and check if Datastores shows all the DSG nodes registrations as GREEN or Ok and Policy Deploy Status as GREEN or Ok.
16. Validate Protector Operations
Confirm that DSGs can perform data security operations post-upgrade of the ESAs.
Verify that audit events are being forwarded successfully to the ESAs.
Create or Enable Scheduler tasks in Primary site ESAs. Create or enable all the scheduler tasks in Primary site ESAs as mentioned in section Scheduler Tasks.
17. Terminate the older version DSGs
With successful upgrade of DSGs and confirming its working with Validate Protector Operations, terminate all the older version DSGs which were stopped at step 2 in Pre-Upgrade Steps for DSG to free up resources.
Additional Considerations
Documentation: Maintain detailed records of the upgrade procedure for future reference.
Troubleshooting: Have contingency plans in place to address potential issues arising during the upgrade.
Support: Utilize Protegrity support services for guidance or troubleshooting assistance as needed.
Make sure to follow these steps meticulously to ensure a seamless upgrade and configuration process.
Feedback
Was this page helpful?