ESM System upgrade best practices

ESM System upgrade best practices

8570
Created On 09/25/18 18:17 PM - Last Modified 08/03/20 18:44 PM


Symptom
Introduction
  • While running, both the ESM Console and the ESM Core services commit changes to the shared database.
  • During an upgrade of the ESM core, the installer checks the database version and commits changes to it according to the versions’ need. If an ESM core is installed and connected to an existing database of the same version, no changes are made.
  • The system supports multiple ESM servers connected to the same database. This feature brings with it a limitation when upgrading the environment as database scheme changes can’t be supported by both the previous and updated ESMs.
    Note: The upgrade process requires downtime of each ESM server until it is upgraded.
  • Upgrade product components in this order:
    1. ESM core
    2. ESM console
    3. Additional cores/consoles
    4. Agents
  • Before starting the upgrade process, make sure you have:
    • The new version installers including the agent upgrade package
    • Admin guide and specific version release notes from the TechDocs
    • If using windows authentication for ESM connection to the database – the domain user credentials of the application user.
    • ESM server local admin user.
    • Privileged database user able to create a full backup of the database.
    • Disabled “service protection” on all server-side agents installed on ESM Servers and ESM Console servers.
    • The agent uninstall password for agent upgrade done using the agent upgrade action.

Notes:
If using virtual ESM servers, it is recommended to create machine snapshots prior to starting the upgrade procedure. Once the upgrade process completes successfully, these snapshots can be deleted. Make sure there is no 3rd part “watchdog” in charge of keeping services running and might attempt to restart the Endpoint Security Manager service when stopped. Once the upgrade process has started, “Older” version ESMs shouldn’t be connected to the new database until upgraded. We recommend prioritizing ESM downtime according to the environment and agents connected to them.
Critical ESMs should be stopped last and upgraded first.



Environment
  • Advanced Endpoint Protection (Traps)
  • ESM Console
  • ESM Core


Resolution
Upgrade process:
  1. Stop the ESM services to stop any DB transactions:
  2. Stop The "Endpoint Security manager" service on each ESM server
    • Using the services.msc control panel:
      ESMService.jpg
    • Using Command line (with elevated privileges) – Type “Net stop CyveraServer”
  3. Stop the IIS service on each ESM Console Server
    • Using the Services.msc control panel:
      IISService.jpg
    • Using Command line (with elevated privileges) – Type “iisreset /stop”
  4.  Once all services (on all ESMs) are down – Backup the database:
    • Log into the SQL management using a privileged user
    • Right-click the Traps database and. Under “Tasks”, select “Back up…”
      DBBU.jpg
    • On the following screen, select a full database backup, choose the destination of the backup file and click “OK”.
  5. Upgrade one of the ESM core servers.
    • When using “Windows authentication” in order to connect to the Traps database, the user will need to input the username and password of the applicative domain user for the installer to validate connection to the database.
      This screen will not appear if using “SQL authentication”:
      Core.jpg
  6.  Upgrade one of the ESM consoles.
    • When using “Windows authentication” in order to connect to the Traps database, the user will need to input the username and password of the applicative domain user for the installer to validate connection to the database.
      This screen will not appear if using “SQL authentication”:
      Console.jpg
    • Restart the IIS service on the server:
      1. Using the Services.msc control panel:
        IISServiceStart.jpg
      2. Using Command line (with elevated privileges) – Type “iisreset /start”
    • Test ESM console login.
    • Once one ESM core is upgraded successfully, all remaining ESM servers and Consoles can be upgraded simultaneously and connect to the already updated DB.
    • Once all the servers are upgraded, Traps agents can be upgraded using the upgrade agent action with the upgrade package, manually running the agent installers on the endpoint or by using GPO or the organizational deployment SW.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOWCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language