Upgrade TufinOS 3 to 4: New, VMWare ESXi, Central/Remote Cluster, TOS Reinstall

Overview

This procedure is for upgrading TufinOS 3 to 4 on new VMWare ESXi machines. This requires upgrading first the worker nodes and then the data node.

If you have both central and remote clusters, upgrade the central cluster first.

During the TufinOS upgrade there will be some downtime. TOS will need to be reinstalled

Is This The Right Procedure?

This procedure is ONLY for:

  • TOS R24-1

  • Single data node central clusters or remote clusters

  • Upgrades on new VMWare ESXi machines

If your TOS release is not R24-1, go to the Knowledge Center that matches your TOS version. If other requirements are not met, select a different procedure.

Prerequisites

General Requirements

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • If you have made a previous unsuccessful attempt to install TOS Aurora, you must uninstall and reboot before reinstalling (see Uninstalling TOS)

  • You cannot use IP Tables with TOS Aurora. In addition, all IP Tables rules will be flushed when installing.
  • Your servers must have sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. The resources required can be categorized by system size.

    To evaluate the size of system you need, see Sizing Calculation for a Clean Install.

  • All resources need to be dedicated to the TOS Aurora machine. Do not use shared CPU or memory and if the datastore is shared, the disk performance must meet the requirements at all times.

  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    If you need assistance, consult with your sales engineer or Tufin support.

  • Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

  • If you are using NFS, your backup server needs to be running NFS 4.

  • If you have any external disks (for example, etcd), disconnect them. These disks should be reconnected after the TufinOS upgrade is complete.

VMware Requirements

  • Your ESX host must be running VMware ESXi 6.5, 6.7, 7.0 or 8.0 only. ESXi 8.0 requires TufinOS 4.20 or later
ESXi 6 is already EOL (end of life). ESXi 7 is planned to reach EOL in April 2025

Network Requirements

  • You must allow access to required Ports and Services.

  • Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

    The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with:

    • Each other

    • The physical addresses of your TOS Aurora servers (see below)

    • Your primary VIP, Syslog VIP or external load balancer IP (see below)

    • Any other subnets communicating with TOS or with TOS nodes

  • If a proxy is configured on your system make sure this network is excluded.

  • You must have available the following dedicated IP addresses:

    • For on-premise deployments, a primary VIP that will serve as the external  IP address used to access TOS Aurora from your browser. The primary VIP will not be needed in the installation of the operating system, except in the final step - the installation command.
    • The physical network IP address of the first network interface used by the administrator for CLI commands. This is the IP address you will use in most steps of the procedure.
    • If additional nodes are subsequently added to the cluster, each node will require an additional dedicated physical network IP address.

    • Additional syslog VIPs can be allocated as needed.
    • The VIP, all node physical network IP addresses and all syslog VIPs must be on the first network interface.

    • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

      To find the first network interface, run the following command:

      [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
      sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

      Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

  • You must have a DNS server that can resolve its own address using a reverse lookup.

Downloads

  1. Download the TufinOS 4.40 installation package from the Download Center.

  2. Download the TOS R24-1 PHF4.0.0 installation package from the Download Center.

  3. The downloaded files are in .tgz format <FILENAME>.tgz.

  4. Extract the TufinOS image from its archive.

    [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
    sudo tar xzvf <FILENAME>.tgz

    The run file name includes the release, version, build number, and type of installation.

    TufinOS ISO file example: TufinOS-4.40-4368238-x86_64-Final.iso

  5. Verify the integrity of the TufinOS installation package.

    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256

    The output should return OK

Preliminary Preparations

  1. If you are running a multi-node cluster, get a list of your nodes.

    [<ADMIN> ~]$ sudo tos cluster node list
    sudo tos cluster node list

Install TufinOS

TufinOS on the new data nodes, and on all worker nodes.

  1. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.

  2. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.

  3. Edit the properties of the virtual CD/DVD drive, and do one of the following:

    Using vSphere:

    • As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.

    • Under Device Status, select Connect at power on.

    Using a workstation:

    • Under Device Status, select Connect at power on.

    • Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.

  4. Set the VM to boot to BIOS configuration

  5. In BIOS > Boot, select CD-ROM Drive.

  6. In BIOS > Exit, select Exit Saving Changes. Click Yes.

  7. Save the settings.

  8. Restart the VM. TufinOS installation begins.
  9. Select TufinOS 4.40 Installation for TOS Aurora.

  10. When prompted, select which type of node to install:

    • Install TufinOS 4.40 for Data Node.

    • Install TufinOS 4.40 for Worker Node

  11. When prompted, confirm and choose Yes.

  12. When the installation is complete, reboot the virtual machine.

  13. When BIOS launches, change the Boot option to Hard Drive.

  14. In BIOS > Exit, select Exit Saving Changes. Click Yes.

  15. Log in using the default admin user credentials:

    username: tufin-admin

    password: admin (you will be prompted to change this on first log in)

    IP address: assigned by DHCP

Set Up The Nodes

  1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.

  2. If you want to reset the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name:

    [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname <mynode>
  3. Configure the server timezone:

    [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
    sudo timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.

    To view a list of the time-zone formats that can be used, run:

    [<ADMIN> ~]$ sudo timedatectl list-timezones
    sudo timedatectl list-timezones
  4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.

  5. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32). If you have several network interfaces, configure the first one.

  6. To assign a static IP address or restore one that was used before upgrading:

    1. Run the command:

    2. [<ADMIN> ~]$ sudo nmtui edit <Interface Name>
      sudo nmtui edit <Interface Name>

      and set the following parameters in the window:

      • Set IPv4 CONFIGURATION to Manual
      • Set Addresses for the physical IP, together with the chosen subnet
      • Set Gateway and DNS Servers to the IPs used by your organization
    3. Restart the network service.
    4. [<ADMIN> ~]$ sudo systemctl restart NetworkManager.service
      sudo systemctl restart NetworkManager.service

Mount The etcd Database on The Data Node to a New Disk

The etcd database should be on a separate disk to improve the stability of TOS Aurora and reduce latency. Moving the etcd database to a separate disk ensures that the kubernetes database has access to all the resources required to ensure an optimal TOS performance.

See Move etcd - New Non-Cloud VM.

Install TOS

TOS needs to be the same version that is running on the existing servers.
  1. Run the tmux command:

    [<ADMIN> ~]$ tmux new-session -s TOS-Install
    tmux new-session -s TOS-Install
  2. On the target machine, create the directory /opt/tufin/data, if it does not exist already.

  3. Transfer the run file (already downloaded) to the /opt/tufin/data directory.

  4. Go to /opt/tufin/data

  5. Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.

  6. [<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    [<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
  7. Extract the TOS run file from its archive.

    [<ADMIN> ~]$ tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
  8. The run file name includes the release, version, and build number.

    TOS file example: R24-1-pga0.0-final-4577.run

  9. Run the TOS Aurora run file.

    [<ADMIN> ~]$ cd /opt/misc/
    cd /opt/misc/
    [<ADMIN> ~]$ sudo sh <runfile>
    sudo sh <runfile>
  10. Run the install command, replacing the parameters:

    • <PRIMARY> - The VIP you will use to access TOS Aurora as described in Prerequisites
    • <SERVICE-CIDR> - The CIDR you want to use for the Kubernetes service network, as described in Prerequisites

    • <PODS-CIDR> Optional. The CIDR you want to use for the Kubernetes pods network, as described in Prerequisites. The default pods network is 10.244.0.0/16

    • <MODULE-TYPE> - One of the following values:

      • ST for SecureTrack only
      • ST, SC for both SecureTrack and SecureChange/SecureApp
      • RC for a remote collector
    • <LOAD> - small, medium or large, as provided by your account team, based on your sizing calculation.

    There is also an option to do a dry run, to verify the procedure in advance by going through all the stages without installing anything. To do a dry run, add the parameter --dry-run to the install command.

    [<ADMIN> ~]$ sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d
    sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d

    Examples:

    $ sudo tos install --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium -d

    $ sudo tos install --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large -d

  11. The EULA is displayed. After reading, enter q to exit the document. If you accept the EULA, enter y and wait until the command completes.

  12. You can now safely exit the CLI screen session:

    [<ADMIN> ~]# exit
    exit
  13. If the installation was for a central (main) cluster, log into TOS Aurora at https://<VIP> in your browser with user=admin, password=admin. If a warning message is shown regarding the site security certificate, 'accept the risk' and continue to the site. You will be prompted to set a new password.

    If the installation was for a remote collector, connect it to the central cluster.

Add The Worker Nodes to The Cluster

Repeat these steps for each worker node.

Backup and Restore TOS Data

You are going to be backing up your TOS data on the existing data node and restoring it to the new data node.