Upgrade TufinOS 3 to 4: HA, VMWare ESXi

Overview

This procedure is for upgrading TufinOS 3 to 4 on VMWare ESXi machines in a high availability deployment. This requires upgrading first the worker nodes and then the data nodes.

If you have both central and remote clusters, upgrade the central cluster first.

During the TufinOS upgrade there will be some downtime. This procedure does not require reinstalling TOS.

Is This The Right Procedure?

This procedure is ONLY for:

TOS R24-2
Central clusters or remote clusters - If you DO NOT plan on making changes in the server configurations (For example: IP address, server timezone).
High availability deployments
Upgrades on the same VMWare ESXi machines

If your TOS release is not R24-2, go to the Knowledge Center that matches your TOS version. If other requirements are not met, select a different procedure.

Prerequisites

This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.
Ensure that each partition has at least 30% available space. No partition should exceed 70% usage.
```
[<ADMIN> ~]$ df -h | awk '$5+0 > 70 {print $0}'
```
df -h | awk '$5+0 > 70 {print $0}'
Do not proceed with the upgrade until the output returns 0 results.
For R24-2 PGA.0.0 and later, if you are using NFS your backup server needs to be running NFS 4.

From R24-2 PHF1.0.0 and later, if you are running NFS 3 on your backup server it will not work because of a security vulnerability. If you want to ignore the security vulnerability to enable NFS 3, you need to run the following commands on all TOS servers that are using TufinOS 4.20 and later:
```
systemctl unmask rpcbind.socket rpcbind.service
```
systemctl unmask rpcbind.socket rpcbind.service
```
systemctl start rpcbind.socket rpcbind.service
```
systemctl start rpcbind.socket rpcbind.service
```
systemctl enable rpcbind.socket rpcbind.service
```
systemctl enable rpcbind.socket rpcbind.service
For data nodes only. If you have not already separated the etcd database, add a second disk to the machine.
- Size: 50 GB
- Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

Downloads

Download the TufinOS 4.50 installation package from the Download Center to your local machine.
- For a VMWare ESXi machine, download the .iso image file.
Extract the TufinOS image from its archive.
```
[<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
```
sudo tar xzvf <FILENAME>.tgz
The run file name includes the release, version, build number, and type of installation.

TufinOS ISO file example: TufinOS-4.50-4368238-x86_64-Final.iso
Verify the integrity of the TufinOS installation package.
```
[<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
```
sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
The output should return OK

Preliminary Preparations

Verify that your deployment is compatible with TufinOS 4.50.
1. Check your current TufinOS version:
  cat /etc/tufinos-release
  Your TufinOS release appears in the output. If the command is not recognized, you have a non-TufinOS operating system and cannot upgrade using this procedure.
2. Review the compatibility and requirements and supported upgrade paths for TufinOS 4.50 and verify that you can perform the procedure.

Check the cluster health.

On the primary data node, check the following status.
```
[<ADMIN> ~]$ sudo systemctl status k3s
```
sudo systemctl status k3s

In the output under the line k3s.service - Aurora Kubernetes, two lines should appear - Loaded... and Active... similar to the example below. If they appear, continue with the next step, otherwise contact Tufin Support for assistance.

Example output:

[<ADMIN> ~]$ sudo systemctl status k3s
 [root@TufinOS ~]# systemctl status k3s
 Redirecting to /bin/systemctl status k3s.service
 ● k3s.service - Aurora Kubernetes
    Loaded: loaded (/etc/systemd/system/k3s.service; enabled; vendor preset: disabled)
    Active: active (running) since Tue 2021-08-24 17:14:38 IDT; 1 day 18h ago
      Docs: https://k3s.io
   Process: 1241 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
   Process: 1226 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
  Main PID: 1250 (k3s-server)
     Tasks: 1042
    Memory: 2.3G

On the primary data node, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support.

Example output:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "High Availability"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 32%
  - ["node3"]
    Type: "Ha Data Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 11%
  - ["node2"]
    Type: "Ha Data Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 11%

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- [postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 54/54

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Backup your TOS data. This needs to be performed for all primary data nodes - the central cluster and remote collector clusters.
If you are going to perform this procedure over multiple maintenance periods, create a new backup each time.
1. Create the backup using tos backup create:
2. You can check the backup creation status using tos backup status, which shows the status of backups in progress. Wait until completion before continuing.
3. Run the following command to display the list of backups saved on the node:
  [<ADMIN> ~]$ sudo tos backup list
  
  sudo tos backup list
4. Check that your backup file appears in the list, and that the status is "Completed".
5. If your backup files are saved locally:
  1. Run sudo tos backup export to save your backup file from a TOS backup directory as a single .gzip file. If there are other backups present, they will be included as well.
  2. Transfer the exported .gzip file to a safe, remote location.
    
    Make sure you have the location of your backups safely documented and accessible, including credentials needed to access them, for recovery when needed.
  After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:
  [Target location]$ tar tzvf <filename>
  
  tar tzvf <file name>
Remote Collector clusters. If you are currently upgrading the central cluster, make sure all the Remote Collector clusters are connected.
On the Central cluster primary data node run:
[<ADMIN> ~]$ sudo tos cluster list
sudo tos cluster list
The output shows all connected clusters.

Example output:
$ sudo tos cluster list NAME ID IP TYPE Central 1 master RC1 2 192.168.75.156 data_collector
If you are running a multi-node cluster, get a list of your nodes.
```
[<ADMIN> ~]$ sudo tos cluster node list
```
sudo tos cluster node list
Save your TufinOS Configuration (repeat this step for each node).

The upgrade erases all existing TufinOS configurations. Therefore, before you start create a list of the data you want to keep and save it outside the machine you are upgrading.

After the upgrade completion, re-configure all your backed-up data.

For more information on what to information to save, see Save Your TufinOS Configuration:

If you have any questions about the upgrade, contact the Tufin support team. Do not attempt the upgrade if you are unsure about any part of it.

Upgrade Worker Nodes

Repeat these steps for each worker node.

Remove the node from the cluster

Identify the worker node you want to remove.

If the node is in a healthy state:

On the primary data node, run:

[<ADMIN> ~]$ sudo tos cluster node remove <node>

sudo tos cluster node remove <node>

Parameters

Parameter	Description	Required/Optional
`<node>`	Hostname of the node to remove.	Required

On completion, a new command string is displayed, which you will need to run on the node you want to remove within 30 minutes. If the allocated time expires, you will need to repeat the current step.

Log in to the CLI of the node to be removed.
On the node to be removed, run the command string displayed on completion of the command above. On completion, all TOS-related directories and data will be deleted from the node, therefore make sure you run it on the correct node. Running the command on the wrong node will destroy the cluster.

All TOS-related directories will be deleted from the node.

If the node you want to remove is not in a healthy state:

On the primary data node, run:

[<ADMIN> ~]$ sudo tos cluster node remove <node> --force

sudo tos cluster node remove <node> --force

Parameters

Parameter	Description	Required/Optional
`<node>`	Hostname address of the node to remove.	Required

Verify that the node has been removed by again running sudo tos cluster node list.

Install TufinOS
1. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.
2. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.
3. Edit the properties of the virtual CD/DVD drive, and do one of the following:
  
  Using vSphere:
  - As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.
  - Under Device Status, select Connect at power on.
  Using a workstation:
  - Under Device Status, select Connect at power on.
  - Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.
4. Set the VM to boot to BIOS configuration
  Example using vSphere
  
  Navigate to VM settings > VM options.
  
  Check: During the next boot, force entry into the BIOS setup screen.
5. In BIOS > Boot, select CD-ROM Drive.
6. In BIOS > Exit, select Exit Saving Changes. Click Yes.
7. Save the settings.
8. Restart the VM. TufinOS installation begins.
9. Select TufinOS 4.50 Installation for TOS Aurora.
10. Select Install TufinOS 4.50 for Worker Node.
11. When prompted, confirm and choose Yes.
12. When the installation is complete, reboot the virtual machine.
13. When BIOS launches, change the Boot option to Hard Drive.
14. In BIOS > Exit, select Exit Saving Changes. Click Yes.
15. Log in using the default admin user credentials:
  
  username: tufin-admin
  
  password: admin (you will be prompted to change this on first log in)
  
  IP address: assigned by DHCP
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
2. Configure the server timezone.
  [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
  
  sudo timedatectl set-timezone <timezone>
  where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.
  
  To view a list of the time-zone formats that can be used, run:
  [<ADMIN> ~]$ sudo timedatectl list-timezones
  
  sudo timedatectl list-timezones
  Ukraine only. Since the change in timezone name from Kiev to Kyiv, not all software products have been adjusted. We therefore recommend avoiding these names and instead using an alternative city in the same timezone such as Europe/Tallinn.
3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.
4. To assign a static IP address or restore one that was used before upgrading:
  1. Run the command:
  2. Restart the network service.
5. Verify that the DNS server can resolve its own address using a reverse lookup
  Run:
  
  [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
  sudo nslookup <DNS SERVER IP>
  If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.
  Example Output
  [<ADMIN> ~]$ sudo nslookup 1.2.3.4 4.3.2.1.in-addr.arpa name=EXAMPLE.company.com
  If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.
  Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.
  [<ADMIN> ~]$ sudo cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 1.2.3.4 admin.company.com admin 2.3.4.5 5.4.3.2.in-addr-arpa
Add the worker node back to the cluster.
1. On the primary data node run:
  [<ADMIN> ~]$ sudo tos cluster node add --role=<TYPE>
  
  sudo tos cluster node add --role=<TYPE>
  where <TYPE> is worker or data, depending on the type of node you want to add.
  
  On completion, a new command string is displayed, which you will need to run on the new node within one hour. If the allocated time expires, you will need to repeat the current step.
2. Log in to the CLI of the server to be added as a new node in the cluster.
3. On the new node, run the command string displayed previously on the primary data node in step 2 above. If the allocated time has expired, you will need to start from the beginning.
4. Verify that the node was added by running sudo tos cluster node list on the primary data node.

Check the cluster status.

On the primary data node, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support.

Example output:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "High Availability"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 32%
  - ["node3"]
    Type: "Ha Data Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 11%
  - ["node2"]
    Type: "Ha Data Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 11%

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- [postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 54/54

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Upgrade The Data Nodes

After upgrading a data node, run tos status and check if the System Status is ok and all the items listed under Components appear as ok. If this is not the case, wait for the database to sync before proceeding to upgrade the next node.

Upgrade TufinOS on one of the non-primary data-nodes.
1. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.
2. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.
3. Edit the properties of the virtual CD/DVD drive, and do one of the following:
  
  Using vSphere:
  - As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.
  - Under Device Status, select Connect at power on.
  Using a workstation:
  - Under Device Status, select Connect at power on.
  - Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.
4. Set the VM to boot to BIOS configuration
  Example using vSphere
  
  Navigate to VM settings > VM options.
  
  Check: During the next boot, force entry into the BIOS setup screen.
5. In BIOS > Boot, select CD-ROM Drive.
6. In BIOS > Exit, select Exit Saving Changes. Click Yes.
7. Save the settings.
8. Restart the VM. TufinOS installation begins.
9. Select TufinOS 4.50 installation for TOS Aurora.
10. Select Install TufinOS 4.50 for Data Node.
11. When prompted, confirm and choose Yes.
12. When the installation is complete, reboot the virtual machine.
13. When BIOS launches, change the Boot option to Hard Drive.
14. In BIOS > Exit, select Exit Saving Changes. Click Yes.
15. Log in using the default admin user credentials:
  
  username: tufin-admin
  
  password: admin (you will be prompted to change this on first log in)
  
  IP address: assigned by DHCP
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
2. Configure the server timezone.
  [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
  
  sudo timedatectl set-timezone <timezone>
  where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.
  
  To view a list of the time-zone formats that can be used, run:
  [<ADMIN> ~]$ sudo timedatectl list-timezones
  
  sudo timedatectl list-timezones
  Ukraine only. Since the change in timezone name from Kiev to Kyiv, not all software products have been adjusted. We therefore recommend avoiding these names and instead using an alternative city in the same timezone such as Europe/Tallinn.
3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.
4. To assign a static IP address or restore one that was used before upgrading:
  1. Run the command:
  2. Restart the network service.
5. Verify that the DNS server can resolve its own address using a reverse lookup
  Run:
  
  [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
  sudo nslookup <DNS SERVER IP>
  If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.
  Example Output
  [<ADMIN> ~]$ sudo nslookup 1.2.3.4 4.3.2.1.in-addr.arpa name=EXAMPLE.company.com
  If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.
  Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.
  [<ADMIN> ~]$ sudo cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 1.2.3.4 admin.company.com admin 2.3.4.5 5.4.3.2.in-addr-arpa
Reinstate the upgraded data node
1. On the primary data node, run:
  [<ADMIN> ~]$ sudo tos cluster node replace <source-node> --force
  
  sudo tos cluster node replace <source-node> --force
  On completion, a new command string is displayed, which you will need to run on the new node within 30 minutes. If the allocated time expires, you will need to repeat the current step.
2. Log in to the CLI of the server to be added as a new node in the cluster.
3. On the new node, run the command string displayed previously on the primary data node in the step above. If the allocated time has expired, you will need to start from the beginning.
4. Verify that the node was added by running sudo tos cluster node list on the primary data node.

Check the cluster status.

On the primary data node, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support.

Example output:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "High Availability"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 32%
  - ["node3"]
    Type: "Ha Data Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 11%
  - ["node2"]
    Type: "Ha Data Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 11%

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- [postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 54/54

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Upgrade TufinOS on the second non-primary data-node.
1. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.
2. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.
3. Edit the properties of the virtual CD/DVD drive, and do one of the following:
  
  Using vSphere:
  - As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.
  - Under Device Status, select Connect at power on.
  Using a workstation:
  - Under Device Status, select Connect at power on.
  - Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.
4. Set the VM to boot to BIOS configuration
  Example using vSphere
  
  Navigate to VM settings > VM options.
  
  Check: During the next boot, force entry into the BIOS setup screen.
5. In BIOS > Boot, select CD-ROM Drive.
6. In BIOS > Exit, select Exit Saving Changes. Click Yes.
7. Save the settings.
8. Restart the VM. TufinOS installation begins.
9. Select TufinOS 4.50 installation for TOS Aurora.
10. Select Install TufinOS 4.50 for Data Node.
11. When prompted, confirm and choose Yes.
12. When the installation is complete, reboot the virtual machine.
13. When BIOS launches, change the Boot option to Hard Drive.
14. In BIOS > Exit, select Exit Saving Changes. Click Yes.
15. Log in using the default admin user credentials:
  
  username: tufin-admin
  
  password: admin (you will be prompted to change this on first log in)
  
  IP address: assigned by DHCP
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
2. Configure the server timezone.
  [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
  
  sudo timedatectl set-timezone <timezone>
  where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.
  
  To view a list of the time-zone formats that can be used, run:
  [<ADMIN> ~]$ sudo timedatectl list-timezones
  
  sudo timedatectl list-timezones
  Ukraine only. Since the change in timezone name from Kiev to Kyiv, not all software products have been adjusted. We therefore recommend avoiding these names and instead using an alternative city in the same timezone such as Europe/Tallinn.
3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.
4. To assign a static IP address or restore one that was used before upgrading:
  1. Run the command:
  2. Restart the network service.
5. Verify that the DNS server can resolve its own address using a reverse lookup
  Run:
  
  [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
  sudo nslookup <DNS SERVER IP>
  If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.
  Example Output
  [<ADMIN> ~]$ sudo nslookup 1.2.3.4 4.3.2.1.in-addr.arpa name=EXAMPLE.company.com
  If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.
  Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.
  [<ADMIN> ~]$ sudo cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 1.2.3.4 admin.company.com admin 2.3.4.5 5.4.3.2.in-addr-arpa
Reinstate the upgraded data node
1. On the primary data node, run:
  [<ADMIN> ~]$ sudo tos cluster node replace <source-node> --force
  
  sudo tos cluster node replace <source-node> --force
  On completion, a new command string is displayed, which you will need to run on the new node within 30 minutes. If the allocated time expires, you will need to repeat the current step.
2. Log in to the CLI of the server to be added as a new node in the cluster.
3. On the new node, run the command string displayed previously on the primary data node in the step above. If the allocated time has expired, you will need to start from the beginning.
4. Verify that the node was added by running sudo tos cluster node list on the primary data node.

Check the cluster status.

On the same nodes, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status
In the output, check if the System Statusok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support for assistance.

Example output:

[<ADMIN> ~]$ sudo tos status
  
[Aug 23 16:34:12]  INFO Checking cluster health status
TOS Aurora
System Status: "Ok"
Cluster Status:
Status: "Ok"
Mode: "High Availability"
Nodes:
- ["User1"]
Type: "Primary"
Status: "Ok"
Disk usage:
- ["/opt"]
Status: "Ok"
Usage: 25%
- ["User2"]
Type: "Ha Data Node"
Status: "Ok"
Disk usage:
- ["/opt"]
Status: "Ok"
Usage: 7.6%
- ["User3"]
Type: "Ha Data Node"
Status: "Ok"
Disk usage:
- ["/opt"]
Status: "Ok"
Usage: 7.4%
Databases:
- ["cassandra"]
Status: "Ok"
- ["kafka"]
Status: "Ok"
- ["mongodb"]
Status: "Ok"
- ["mongodb_sc"]
Status: "Ok"
- ["ongDb"]
Status: "Ok"
- ["postgres"]
Status: "Ok"
- ["postgres_sc"]
Status: "Ok"
Backup Storage:
Location: "Local s3:http://minio.default.svc:9000/velerok8s/restic/default "
Status: "Ok"
Last compatibe healthy backup Timestamp: 2023-08-21 12:01:07 +0000 UT
Registry:
Expiration ETA: 817 days
Status: "Ok"

Set one of the upgraded nodes as the primary data node.
1. On the node you want to assume the role of primary data node:
  [Data Node]$ sudo tos cluster node set-primary
  
  sudo tos cluster node set-primary
2. Verify that the node roles are as you intended, by running sudo tos cluster node list on any data node.
3. We strongly recommend performing a one-time backup and exporting it immediately, as all prior backups are deleted from the original primary data node.
Back up your TOS data.
Backup your TOS data. This needs to be performed for all primary data nodes - the central cluster and remote collector clusters.
If you are going to perform this procedure over multiple maintenance periods, create a new backup each time.

Create the backup using tos backup create:

[<ADMIN> ~]$ sudo tos backup create

sudo tos backup create

Example output:
[%=Local.admin-prompt% sudo tos backup create [Aug 23 16:18:42] INFO Running backup Backup status can be monitored with "tos backup status"

You can check the backup creation status using tos backup status, which shows the status of backups in progress. Wait until completion before continuing.

[<ADMIN> ~]$ sudo tos backup status

sudo tos backup status

Example output:
[<ADMIN> ~]$ sudo tos backup status Found active backup "23-august-2021-16-18"

Run the following command to display the list of backups saved on the node:

[<ADMIN> ~]$ sudo tos backup list

sudo tos backup list

Example output:
[<ADMIN> ~]$ sudo tos backup list ["23-august-2021-16-18"] Started: "2021-08-23 13:18:43 +0000 UTC" Completed: "N/A" Modules: "ST, SC" HA mode: "false" TOS release: "21.2 (PGA.0.0) Final" TOS build: "21.2.2100-210722164631509" Expiration Date: "2021-09-22 13:18:43 +0000 UTC" Status: "Completed"

Check that your backup file appears in the list, and that the status is "Completed".

If your backup files are saved locally:

Run sudo tos backup export to save your backup file from a TOS backup directory as a single .gzip file. If there are other backups present, they will be included as well.

Transfer the exported .gzip file to a safe, remote location.

Make sure you have the location of your backups safely documented and accessible, including credentials needed to access them, for recovery when needed.

After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:

[Target location]$ tar tzvf <filename>

tar tzvf <file name>
Upgrade TufinOS on the remaining data-node.
1. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.
2. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.
3. Edit the properties of the virtual CD/DVD drive, and do one of the following:
  
  Using vSphere:
  - As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.
  - Under Device Status, select Connect at power on.
  Using a workstation:
  - Under Device Status, select Connect at power on.
  - Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.
4. Set the VM to boot to BIOS configuration
  Example using vSphere
  
  Navigate to VM settings > VM options.
  
  Check: During the next boot, force entry into the BIOS setup screen.
5. In BIOS > Boot, select CD-ROM Drive.
6. In BIOS > Exit, select Exit Saving Changes. Click Yes.
7. Save the settings.
8. Restart the VM. TufinOS installation begins.
9. Select TufinOS 4.50 installation for TOS Aurora.
10. Select Install TufinOS 4.50 for Data Node.
11. When prompted, confirm and choose Yes.
12. When the installation is complete, reboot the virtual machine.
13. When BIOS launches, change the Boot option to Hard Drive.
14. In BIOS > Exit, select Exit Saving Changes. Click Yes.
15. Log in using the default admin user credentials:
  
  username: tufin-admin
  
  password: admin (you will be prompted to change this on first log in)
  
  IP address: assigned by DHCP
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
2. Configure the server timezone.
  [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
  
  sudo timedatectl set-timezone <timezone>
  where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.
  
  To view a list of the time-zone formats that can be used, run:
  [<ADMIN> ~]$ sudo timedatectl list-timezones
  
  sudo timedatectl list-timezones
  Ukraine only. Since the change in timezone name from Kiev to Kyiv, not all software products have been adjusted. We therefore recommend avoiding these names and instead using an alternative city in the same timezone such as Europe/Tallinn.
3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.
4. To assign a static IP address or restore one that was used before upgrading:
  1. Run the command:
  2. Restart the network service.
5. Verify that the DNS server can resolve its own address using a reverse lookup
  Run:
  
  [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
  sudo nslookup <DNS SERVER IP>
  If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.
  Example Output
  [<ADMIN> ~]$ sudo nslookup 1.2.3.4 4.3.2.1.in-addr.arpa name=EXAMPLE.company.com
  If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.
  Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.
  [<ADMIN> ~]$ sudo cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 1.2.3.4 admin.company.com admin 2.3.4.5 5.4.3.2.in-addr-arpa
Reinstate the upgraded data node
1. On the primary data node, run:
  [<ADMIN> ~]$ sudo tos cluster node replace <source-node> --force
  
  sudo tos cluster node replace <source-node> --force
  On completion, a new command string is displayed, which you will need to run on the new node within 30 minutes. If the allocated time expires, you will need to repeat the current step.
2. Log in to the CLI of the server to be added as a new node in the cluster.
3. On the new node, run the command string displayed previously on the primary data node in the step above. If the allocated time has expired, you will need to start from the beginning.
4. Verify that the node was added by running sudo tos cluster node list on the primary data node.

Check the cluster status.

On the same node or nodes, check the TOS status.
```
[<ADMIN> ~]$ sudo tos status
```
sudo tos status
In the output, check if the System Statusok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support for assistance.

Example output:

[<ADMIN> ~]$ sudo tos status
  
[Aug 23 16:34:12]  INFO Checking cluster health status
TOS Aurora
System Status: "Ok"
Cluster Status:
Status: "Ok"
Mode: "High Availability"
Nodes:
- ["User1"]
Type: "Primary"
Status: "Ok"
Disk usage:
- ["/opt"]
Status: "Ok"
Usage: 25%
- ["User2"]
Type: "Ha Data Node"
Status: "Ok"
Disk usage:
- ["/opt"]
Status: "Ok"
Usage: 7.6%
- ["User3"]
Type: "Ha Data Node"
Status: "Ok"
Disk usage:
- ["/opt"]
Status: "Ok"
Usage: 7.4%
Databases:
- ["cassandra"]
Status: "Ok"
- ["kafka"]
Status: "Ok"
- ["mongodb"]
Status: "Ok"
- ["mongodb_sc"]
Status: "Ok"
- ["ongDb"]
Status: "Ok"
- ["postgres"]
Status: "Ok"
- ["postgres_sc"]
Status: "Ok"
Backup Storage:
Location: "Local s3:http://minio.default.svc:9000/velerok8s/restic/default "
Status: "Ok"
Last compatibe healthy backup Timestamp: 2023-08-21 12:01:07 +0000 UT
Registry:
Expiration ETA: 817 days
Status: "Ok"

Reinstall Tufin Extensions and PS solutions
1. Reinstall all extensions. See the Extensions Knowledge Center.
2. Reinstall all Professional Services solutions and reconfigure the cron jobs.