Prepare

Proceed only if...

Your TOS Classic, Postgres and operating system versions are supported.
You can fulfill all the sizing requirements and you understand that meeting those requirements is necessary to ensure success.

Otherwise, go back.

In this step you will:

Read and understand the prerequisites for upgrading to TOS Aurora
Run checks to confirm your TOS Classic system is ready to be upgraded to TOS Aurora
Select the target platform for your new TOS Aurora deployment.
Make sure you have all the DNS, IP and other information readily available in your worksheet or other format.

Prerequisites

Following is a summary of important requirements before you continue, and a heads-up of some actions you will need to take later.

General

You will need an administrator with a good working knowledge of Linux and network configuration.
Some commands must be preceded with tmux, see tmux Command.

Upgrade Path

This procedure supports upgrading from TOS Classic R21-3 only. If you are on an earlier release, you must first upgrade it to the latest hot fix of one of these TOS Classic releases.
If you are running operating system TufinOS 2.x (TOS Classic R20-1 and earlier), the upgrade procedure to TOS Classic R20-2 or later will include upgrading to TufinOS 3.x.

Examples:

TOS Classic R18-1 > TOS Classic R19-1 > TOS Classic R20-1 >TOS Classic R21-2 > TOS Classic R21-3> This procedure

TOS Classic R18-3 > TOS Classic R19-3 > TOS Classic R21-1 > TOS Classic R21-3 > This procedure

TOS Classic R19-3 > TOS Classic R21-1 > TOS Classic R21-3 > This procedure

TOS Classic R21-2 > This procedure

For all upgrade paths, see the Release Notes Knowledge Center

On Your TOS Classic Setup

Make sure your license is activated.
Make sure all zones are defined with a valid CIDR address range. Invalid zones will cause the upgrade to fail.
There is no need to migrate devices monitored by distribution servers or remote collectors, to the central server. This will be done automatically.
If high availability is enabled, disable it.
```
hactl uninstall
```
If you have any scripts or customizations prepared by Tufin Professional Services, these must be modified. Consult with your Tufin Professional Services representative before proceeding.
If you have scripts of any kind, save them on a an external drive / other server.

Be aware of the following:
- Calls to SecureTrack / SecureChange APIs must be changed to use the primary VIP address instead of localhost.
- After adaption, scripts that are triggered by a SecureChange workflow event, will need to run in TOS Aurora using the mediator script.
- In TOS Aurora scripts cannot access the database.
- In TOS Aurora scripts cannot make calls to TOS Classic CLI utilities / scripts.

On Your New TOS Aurora Setup

General

You must use a modern browser. Supported versions:
- Edge: 80.x and above
- Chrome: 80.x and above
- Firefox: 74.x and above
You cannot use IP Tables with TOS Aurora. In addition, all IP Tables rules will be flushed when installing.
Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.
If you have previously attempted to install TOS Aurora on your server and it did not complete successfully, make sure all data is removed from the target server and reboot before you start over - see Uninstalling.
Make sure you have accounted for sufficient CPU, disk storage and main memory to meet your sizing requirements.
Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS and the operating system.

Network

For each TOS Aurora installation (i.e. for the central cluster and every remote cluster):

You must have available the following dedicated IP addresses:
- For on-prem deployments, a primary VIP that will serve as the external IP address used to access TOS Aurora from your browser. The primary VIP will be needed in the install step.
- For cloud deployments, an external loadbalancer IP that will serve as the IP address used to access TOS Aurora from your browser. This IP will be needed when setting up the load balancer in your cloud vendor account.
- A physical network IP for CLI commands and device monitoring on the primary data node.
- An additional physical network IP for each additional server that is subsequently added as a node to the cluster.
- At least one syslog VIP. Additional syslog VIPs can be allocated as needed.
You will need to allow access to required Ports and Services.
You will need a 24-bit CIDR subnet dedicated to TOS Aurora for the Kubernetes service network. It must not overlap with:
- CIDR 10.244.0.0/16, which is already used for Kubernetes internal communication or
- The physical addresses of your TOS Aurora servers (see below) or
- Your primary VIP or external loadbalancer IP (see below) or
- Any other subnets in use. If overlapping subnets exist, this will interfere with the installation or running of TOS Aurora. If you do not know how to resolve the issue, contact Tufin support.
If a proxy is configured on your system, make sure this network is excluded.
The primary VIP, all node physical network IPs and all syslog VIPs must be on the same subnet. Syslog VIPs will be added in the configuration step.
Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

To find the first network interface, run the following command:
```
[<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
```
sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

Tufin Extensions (formerly Tufin Marketplace)

If you have any of the Tufin extensions below, backup your data by following the steps in the section 'In TOS Classic' for each one.

Download the Latest Release of TOS Aurora

Download the TOS R23-1 PHF2.1.0 installation package from the Download Center.

The downloaded files are in .tgz format <FILENAME>.tgz.

Extract the TOS run file from the archive.
```
[<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
```
sudo tar xzvf <FILENAME>.tgz
The run file name includes the release, version, and build number.

TOS file example: R23-1-pga0.0-final-4577.run
Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.
```
[<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
```
sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

Check Your Current TOS Classic System

All Target Platforms

Get root privileges.

Either use your own password,

[<ADMIN> ~]$ sudo su -

sudo su -

or use the root password (RHEL/Rocky Linux only),

[<ADMIN> ~]$ su -

su -

Perform checks to confirm that your TOS Classic system is ready to upgrade to TOS Aurora.

Check operating system version.
```
[<ADMIN> ~]# cat /etc/redhat-release 
```
cat /etc/redhat-release
If the release displayed is not supported for upgrade as specified in your sizing requirements, upgrade and return to Analyze.
Check TOS Classic version.
```
[<ADMIN> ~]# tos version
```
tos version
If the release displayed is not supported for upgrade as specified in your sizing requirements, upgrade and return to Analyze.
Check Postgres version.
```
[<ADMIN> ~]# psql -V
```
psql -V
If the version displayed is not supported for upgrade as specified in your sizing requirements, upgrade and return to Analyze..
Check your license is valid.

Select Settings > Administration > Licenses. The License window appears.

Activated:

Not Activated:

If the license is not activated, follow the instructions in Activate License.
Check you don't have an old evaluation license. Run the command:
```
[<ADMIN> ~]# psql securetrack -Upostgres -c "select count(*) from st_licenses"
```
psql securetrack -Upostgres -c "select count(*) from st_licenses
If the result returned is anything other than 1, request assistance from Tufin support to remove the evaluation license.

Select Target TOS Aurora Platform

You must make your decision about the target platform(s) for your new TOS Aurora deployment - one of the following. Take into account the platform-specific prerequisites and limitations that follow.

On the same server you are currently using for SecureTrack
On a new server
- Tufin appliance with TufinOS
- On-prem VM with TufinOS
- Azure VM with a non-Tufin Operating System
- AWS instance with a non-Tufin Operating System
- GCP instance with a non-Tufin Operating System
- On-prem physical server with a non-Tufin Operating System

Platform-Specific Prerequisites and Limitations

Same Server

The prerequisites and limitations for specific platforms that follow, apply also when upgrading on the same server.

The server time zone, hostname and NTP must be properly configured.

Check that NTP is properly configured using chronyd.
```
[<ADMIN> ~]# chronyc tracking | grep "Leap status"
```
chronyc tracking | grep "Leap status"
If leap status is "Not synchronized", configure as follows, see Configuring NTP Using Chrony
Check that the hostname and /etc/hosts are properly configured.
```
[<ADMIN> ~]# hostnamectl | grep 'hostname'
```
hostnamectl | grep 'hostname'
To change:
```
[<ADMIN> ~]# hostnamectl set-hostname <mynode>
```
hostnamectl set-hostname
Check that the server time zone is properly configured.
```
[<ADMIN> ~]# date +'%:z %Z'
```
date +'%:z %Z'
To change:
```
[<ADMIN> ~]# timedatectl set-timezone <MY-TIMEZONE>
```
timedatectl set-timezone

Tufin Appliance

TOS Aurora will only run on T-800, T-1200, T-1100, T1100XL - see Tufin Appliance Lifecycle.
T-1100 can only be used for small systems, as specified in your sizing requirements email.
High availability on a T-1100 XL requires additional configuration.
High availability cannot be employed on T-1100.
To set up TufinOS using a USB key, an empty USB flash drive with at least 32GB of space.
Make sure there are no USB storage devices attached to the appliance. It will interfere with the TufinOS installation and may corrupt data on the USB storage device.
A monitor and keyboard and/or serial connection (console)
A network cable
To set up TufinOS using the remote management module (RMM), on your client computer:
- We recommend that your computer is on the same local network as the appliance
- Make sure your Java version 8 is or later.
If the appliance is connected to a PC via a serial cable, use the following settings:
- Baud Rate: 57600
- Data bits: 8
- Stop bits: 1
- Parity: None
- Flow Control: None
- Terminal type: VT100
Download TufinOS:
1. Download the TufinOS 4.30 installation package from the Download Center.
2. Extract the run file from the archive.
```
[<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
```
  sudo tar xzvf <FILENAME>.tgz
  The run file name includes the release, version, and build number.
3. Verify the integrity of the TufinOS installation package.
```
[<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-XXXX-Final.usb.img.sha256
```
  sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-XXXX-Final.usb.img.sha256
  The output should return OK

On-Prem VM with TufinOS

Your VM must be one of the following:
- VMware ESXi 6.5, 6.7, 7.0 or 8.0 with a 64-bit compliant core
- Oracle VM VirtualBox
Download TufinOS:
1. Download the TufinOS 4.30 installation package from the Download Center.
2. Extract the run file from the archive.
```
[<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
```
  sudo tar xzvf <FILENAME>.tgz
  The run file name includes the release, version, and build number.
3. Verify the integrity of the TufinOS installation package.
```
[<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-XXXX-Final.usb.img.sha256
```
  sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-XXXX-Final.usb.img.sha256
  The output should return OK
If you are going to deploy high availability, we strongly recommend partitioning directory /var to a separate, dedicated disk. If this is not done, performance may be affected.

Azure

High availability is not supported in this release.
Remote collectors are not supported on Azure in this release.
There are some load limitations for deploying on cloud. Check with your account team that deployment on this platform is supported for your load model before going ahead.

AWS

DNS hostnames must be enabled on your VPC - see Modify the DNS attributes for your VPC (Amazon official documentation).
High availability is not supported in this release.
Remote collectors are not supported on Azure in this release.
There are some load limitations for deploying on cloud. Check with your account team that deployment on this platform is supported for your load model before going ahead.

GCP

High availability is not supported in this release.
Remote collectors are not supported on Azure in this release.
There are some load limitations for deploying on cloud. Check with your account team that deployment on this platform is supported for your load model before going ahead.

On-Prem Server / VM with Linux

Red Hat Enterprise Linux 8.6, 8.8, or 8.9
Disk(s) SSD with 7,500 IOPS and 250MB/s throughput, or higher.
If you are going to deploy high availability, we strongly recommend partitioning directory /var to a separate, dedicated disk. If this is not done, performance may be affected.

Can I Proceed?

Continue to the next step only if...

All the above prerequisites have been met and all checks have indicated that your TOS Classic system is ready to upgrade to TOS Aurora.
You have decided which target platform to use for your new TOS Aurora deployment.
You have decided to go ahead with the upgrade yourself, and not use Tufin Professional Services.

IPs and Other Essential Information

Make sure you have all the information needed, based on the above requirements, plus other system information specific to your organization, such as DNS server names, and SSL certificate details. It will be needed in subsequent steps. Make sure it is readily available in your worksheet or other format.

Rollback Plan

Make a full backup of your TOS Classic data and copy to another server or drive.

Once the backup has successfully exported to a secure external location, verify the integrity of the backup (see Verifying TOS Backups).

Central and Remote Collector Clusters

You are now going to set up your first server and install TOS Aurora on it to create your first TOS Aurora cluster, also known as the central cluster. If you are going to set up remote collectors as well, you will have come back to this point and repeat everything for each remote collector. When setting up remote collectors, ignore references to SecureChange.

Next - Set up the Target Platform

Continue with the appropriate procedure by clicking on the link below (these links are instead of a Next button at the bottom of the page).

If you have remote collectors, after completing the procedure on your central servers, repeat for each of your remote collectors.

Same Server

For the same machine you are using for TOS Classic, continue with Set Up Same Server

New Server

For a new Azure VM, continue with Set Up Azure
For a new AWS instance, continue with Set Up AWS
For a new GCP instance, continue with Set up GCP
For new Tufin appliance, continue with Set Up Appliance
For new VM with TufinOS, continue with Set Up VM
For new VM/server with Linux, continue with Set Up Linux