Upgrade to Traps 4.1

The Traps™ 4.1 release comprises the Endpoint Security Manager (ESM) Server, the ESM Console, and the Traps agent. Use the following workflow to upgrade the Traps components:
  1. Plan for the upgrade.
    • Prioritize the downtime for each ESM Server according to your environment and the requirements of the agents connected to the ESM Server. Identify the ESM Servers that serve the highest number of agents and plan to stop services on those ESM Servers last and upgrade them first.
    • Ensure that you have the credentials for the user who connects to the database before you begin the upgrade.
      Hint: Windows authentication uses a domain account and SQL authentication uses a local SQL account on the database server.
    • Review the Prerequisites for Traps components and adjust your configuration to meet those prerequisites as needed.
  2. Disable service protection on all server-side agents installed on ESM Servers and ESM Consoles.
    If you are upgrading from ESM 4.0.1 or an earlier release, add a new agent settings rule for Service Protection and Disable service protection. If you are upgrading from ESM 4.0.2 or a later release, add a new agent settings rule for Agent Tampering Protection and clear the Enable Services protection option.
    After you apply the agent settings rule, verify that each Traps agent on each ESM component (server and console) receive the new rule (on the Traps console, select Policy). If needed, Check In Now to force Traps to request the latest security policy from the ESM.
  3. Stop services before upgrading the ESM Server software.
    The database can connect to only ESM components that are running the same release. To avoid conflicts during the upgrade process, ensure that services remain disabled until after you successfully upgrade all ESM components.
    If you use a third-party watchdog to monitor services, you may need to perform additional steps to ensure that the watchdog software does not attempt to restart the services.
    From the Services manager, Stop the Endpoint Security Manager service on all ESM Servers.
  4. (Multiple ESM Server deployments only) Stop services before upgrading the ESM Console software.
    This step is not required for standalone deployments with only a single ESM Server and an ESM Console.
    Stop IIS services on the server on which the ESM Console is installed:
    • Dedicated Server—If the ESM Console is the only web application running on the ESM Console server, stop the World Wide Web Publishing Service. Alternatively, you can stop the service from a command prompt by issuing the IISreset /stop command.
    • Shared Server—If you run additional web applications on your ESM Console server (not recommended), stop the ESM Application Pool service (ESMAppPool) in the Internet Information Services (IIS) Manager to avoid affecting other applications:
      1. Open the IIS Manager.
      2. Expand the server and select Application Pools.
      3. Right-click ESMAppPool and Stop the service.
  5. Back up your database.
    To preserve all data in case the installation is unsuccessful, first ensure that services are down on relevant ESM components and then back up your database.
  6. Upgrade the ESM Server.
    In a deployment with multiple ESM Servers, choose one ESM Server on which to test the upgrade. Resolve any issues encountered during the upgrade before proceeding to upgrade the ESM Console and any additional ESM Servers.
    During the upgrade of the ESM Server, the installer updates the database according to the requirements of the database version. If there is no change between the database versions, the installer does not make any changes to the database.
    1. Launch the ESM Core installer file and click Next to begin the installation.
      To troubleshoot installation issues, use Msiexec to log verbose output to a file.
    2. Enter the username and password used to connect to the database and then Verify the connection:
      • Windows authentication, format: domain\username
      • SQL authentication format: sqlservername\username
    3. If the installer successfully verifies the database connection, click OK.
    4. Click Install.
    5. Click Finish.
  7. Upgrade the ESM Console.
    1. Launch the ESM Console installer file and click Next to begin the installation
      To troubleshoot installation issues, use Msiexec to log verbose output to a file.
    2. Enter the username and password to connect to the database and then Verify the connection.
      • Windows authentication format: domain\username
      • SQL authentication format: sqlservername\username
    3. If the installer successfully verifies the database connection, Click OK.
    4. Click Install.
    5. Click Finish.
    6. Restart the IIS Admin Service on the server on which the ESM Console is installed.
    7. Verify that you can log in to the ESM Console.
  8. Upgrade additional ESM Servers.
    For each additional ESM Server, verify the services are disabled (see 3 ) and then repeat 6 to upgrade the ESM Server software.
  9. Review your Content Updates settings.
    By default, the ESM Server automatically checks for new content updates. To enable this functionality, you must enable SSL/TLS 1.2 communication between the ESM Server and the updates server (updates.paloaltonetworks.com) on port 443. If you choose to disable automated content updates, we recommend that you check the Support Site for the latest content update versions and, if a later content update is available, install it manually.
  10. Delete the service protection or agent tampering rules you configured for the ESM components earlier in this workflow.
  11. Upgrade the Traps agents.
    To upgrade the Traps agent on workstations and servers, the easiest method is to configure an action rule to upgrade the software. The ESM uploads the upgrade package to the upgrade server and automatically initiates the upgrade for any target endpoints to which the rule applies. You can also upgrade the software manually by running the MSI installer on the endpoint.
    Upgrading Traps on persistent VDI is the same as a upgrading Traps on a regular endpoint; to upgrade Traps on non-persistent VDI, it is recommended to run the MSI installer from the golden image.
    Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista do not support upgrades from Traps 3.4 using one-time action rules. For all other operating systems running Traps 3.4 and for all operating systems running Traps 4.0, you can upgrade to Traps 4.1 using action rules.
    Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista endpoints
    Use GPO, SCCM, or another alternate method of deploying the Traps software.
    Mac OS, non-Windows XP/2003/2008/Vista endpoints, and persistent VDI
    1. Select SettingsAgentActions.
    2. Select the operating system, either Windows or macOS.
    3. Select the action manage-hidden-menu-icon.png menu at the top of the page and then Add an Agent Installation rule.
    4. Select Upgrade from path.
    5. (Windows only) Enter the Uninstall Password.
    6. Browse to and then Upload the Client Upgrade Package (ZIP file).
    7. (Optional) Specify and Conditions or target Objects to which the rule applies.
    8. Save and Apply the rule.
    Non-persistent VDI
    1. On the golden image, run the Traps installation file to upgrade the Traps software. Then follow the series of prompts to upgrade the agent.
    2. Mark the golden image as a VDI (see Configure the Master Policy ).

Related Documentation