Upgrade the Virtual Appliance
Upgrade the Virtual Appliance
The upgrade process depends on the current version of your Virtual Appliance (VA). Netskope supports upgrading the software for up to two versions ahead of the current version.
Note
Modular upgrades for the OPLP and DPoP are also available. To learn more, see Installing Modular Upgrades for OPLP and DPoP.
Additional packages for appliances are automatically updated with each release, and you can schedule upgrades for these packages as well. To learn more, see: Upgrade the Additional Appliance Packages and Schedule Auto-Upgrade for the Content and Threat Feed Packages.
Appliance Software Version Support
Netskope Appliance software releases are available every 4-months and will have Netskope support up to two previous versions. Direct software upgrades are supported as long as the “from” and “to” software releases are within two versions apart.
To see the upgrade path for the version you wish to upgrade to, go to the Requirements in the Virtual Appliance Release Notes for that version.
Important
Before upgrading your appliance software, Netskope highly recommends that you save the existing configuration of your current appliance version as a backup by exporting the configuration. To learn more, see: Export or Import Configurations.
If your current appliance version is older than 110.0.0, you must upgrade the software up to two versions ahead at a time until you reach the target version. Alternatively, you can deploy a new VA and migrate your data to the latest version.
After upgrading your appliance software, if you want to revert to a previous version, you must install a new VA of the previous version, and import the configurations exported before the upgrade. This method of exporting and importing configuration to revert to a previous version can only be used to revert to versions 110.0.0 or later.
If you want to revert to a version older than 110.0.0, you must install a new VA and manually reconfigure the appliance. Rollback is not supported for some versions of the appliance software. In the appliance CLI, use the show version-info command
to check which appliance versions support rollback. If rollback : Not installed
is displayed, rollback is unavailable for that version. Use the rollback software-image
command to revert back to a previous version.
Upgrading the VA
You can upgrade the VA in the appliance CLI. Run the show version-info
command to check the current version of your appliance. You can also run the following command to check for the list of available software from Netskope: upgrade software list
.
Before upgrading the VA, make sure of the following:
- The current version is no older than 110.0.0.
- Upgrade from your current version until you reach the target version. To learn more, see Upgrading the Virtual Appliance Package
- Deploy a new VA and migrate your data to the latest version. To learn more, see Migrating the Virtual Appliance Package
- The upgrade occurs during a maintenance window. The upgrade may take up to an hour and requires a reboot of your system(s).
- The size of the root partition is 64 GB or higher. For information on increasing the partition size, see Increase the Size of the Partition.
- There’s at least 42 GB of free space on the
/opt/ns/upgrades
partition where the upgrade pkg is downloaded. - The log partition (
/var/ns/docker/mounts/lclw/mountpoint
) must have at least 20 GB of free space. - The urldbz package is installed on a DPoP appliance. You can verify this by running the
show version-info
command. For instructions to install the urldbz package, see Upgrade the Additional Appliance Packages.
Note
If your current VA version is older than this version, use one of the following methods to upgrade the VA:
Use the df
command to check the available space on the upgrade and log partitions. If the output of the command shows high disk utilization, then you can delete the older version of the appliance by running the following command: upgrade software delete version <version software>
.
Upgrading the Virtual Appliance Package
To upgrade the VA:
- Log in to the VA console and at the nsshell prompt, enter the
upgrade software list
command to check for the list of available software from Netskope. - Enter the
upgrade software download version <version number>
command to download the software. To check the status of the download, enter theupgrade software status download
command. - After the download is complete, enter the
upgrade software prepare version <version number>
command to prepare the software package. To check the status of the prepare process, enter theupgrade software status prepare
command. When the process is complete, the following is displayed:Status: SUCCESS
. - Enter the
upgrade software install version
command to install the new software package. To check the status of the install process, enter theupgrade software status install
command. When the process is complete, the following is displayed:Status: SUCCESS
.
To verify if the software was upgraded to the target version, run the status all
or show version-info
commands to view the software version. The UI also displays the updated version of the software under the On-Premises Infrastructure page (Settings > Security Cloud Platform).
Migrating the Virtual Appliance
In order to migrate to the target version of VA from a previous version, you must complete the following steps:
- Export the configurations from the current VA using the config-transporter script and save the configurations on an external storage. For details about exporting configurations, refer to Exporting Configurations.
- Install and deploy a new VA. Refer to Install a Virtual Appliance.
- Depending on the availability of IP addresses on the network, choose one of the following options:
Provision New IP Addresses for a New VA
If IP addresses are available on the network, you can setup the new VA with an available IP address. In this case, both, the new and current VAs process logs until you deprovision the current VA. New logs are sent to the new VA for processing while the current VA processes pending logs.
To migrate the VA:
- Configure the interface on the new VA using the available IP address. Refer to Configure the Interfaces.
- Import the configurations from the current VA to the new VA using the following command:
scp import config from host <hostname or IP> mode without-network path <path to the file or folder> user <username>
To learn more, see Importing Configurations. - For OPLP, complete the following steps:
- On VA versions older than 99.0.0, navigate to the lcoplp container and run the following command:
export PATH=$PATH:/opt/ns/bin/docker/tools lcgo lcoplp
- Use the following command to stop the OPLP from processing new logs:
sudo supervisorctl stop syslogng
New logs will now be processed by the new VA. The current VA will continue to process pending logs. - To verify the status of unprocessed pending logs, run the following command:
/opt/ns/nsenv/bin/python /opt/ns/bin/logcollector/logmanager.py —status
- On VA versions older than 99.0.0, navigate to the lcoplp container and run the following command:
- Deprovision the current VA using the following command:
op deprovision
The OPLP stops log processing on the VA and the DPoP stops forwarding traffic to the VA.
Reuse IP Addresses from an Old VA
If all the IP addresses in the network are in use, the new VA will reuse the network configurations and IP address of the current VA. In this case, the new logs will be received and processed by the new VA after you configure the IP address.
To migrate the VA:
- For OPLP:
- On VA versions older than version 42.14.0, navigate to the lcoplp container and run the following command:
export PATH=$PATH:/opt/ns/bin/docker/tools lcgo lcoplp
- Use the following command to stop the OPLP from processing new logs:
sudo supervisorctl stop syslogng
The current VA will continue to process pending logs. New logs will be processed by the new VA after the current VA is deprovisioned. - To verify the status of unprocessed pending logs, run the following command:
/opt/ns/nsenv/bin/python /opt/ns/bin/logcollector/logmanager.py —status
- On VA versions older than version 42.14.0, navigate to the lcoplp container and run the following command:
- Deprovision the current VA using the following command:
op deprovision
The OPLP stops log processing on the VA and the DPoP stops forwarding traffic to the VA. - Import the configurations from the current VA to the new VA using the following command:
scp import config from host <hostname or IP> mode all path <path to the file> user <username>
For details about importing configurations, refer to Importing Configurations.