Upgrade TufinOS 3 to 4: In-Place, Appliance, Central/Remote Cluster, TOS Reinstall

Overview

This procedure is for upgrading TufinOS 3 to 4 on the same Gen 3.5 and Gen 4 appliances in a single data node central or remote cluster. For central clusters, this is relevant when there are changes to the server configuration. This requires upgrading first the worker nodes and then the data node.

If you have both central and remote clusters, upgrade the central cluster first.

During the TufinOS upgrade there will be some downtime. TOS will need to be reinstalled.

Is This The Right Procedure?

This procedure is ONLY for:

TOS R24-2
Single data node remote clusters
Single data node central clusters - if you plan on making changes to the server configurations (for example: IP address, server timezone)
Gen 3.5 or Gen 4 appliances
Upgrades on the same appliances

If your TOS release is not R24-2, go to the Knowledge Center that matches your TOS version. If other requirements are not met, select a different procedure.

Overview

Upgrade TufinOS 3.x to 4.40 on your existing Tufin Gen 3.5 and Gen 4 appliances.

Use this procedure

to upgrade a remote cluster

or

if there will be some change in the environment compared to your current deployment.

Do not use this procedure

to upgrade a central cluster with no change in the environment.

Use instead the procedure Upgrade TufinOS 3 to 4 In-Place Central Cluster Appliance
For high availability deployments.

Use instead the procedure Upgrade TufinOS 3 to 4 HA Appliances

Use the same procedure for all nodes in the same cluster.

If you have remote clusters, upgrade the central cluster before the remote clusters. For more information on Remote Collector clusters, see Remote Collectors.

Upgrade worker nodes before the primary data node.

During the TufinOS upgrade there will be some downtime. Installing TufinOS 4 on the node will erase all data and server configurations.

Prerequisites

General Requirements

This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.
For PGA, if you are using NFS your backup server needs to be running NFS 4. From PHF1.0.0 and later, if you are running NFS 3 on your backup server it will not work because of a security vulnerability. If you want to ignore the security vulnerability to enable NFS 3, you need to run the following commands on all TOS servers that are using TufinOS 4.20 and later:systemctl unmask rpcbind.socket rpcbind.servicesystemctl unmask rpcbind.socket rpcbind.service systemctl start rpcbind.socket rpcbind.servicesystemctl start rpcbind.socket rpcbind.service systemctl enable rpcbind.socket rpcbind.servicesystemctl enable rpcbind.socket rpcbind.service
For data nodes only. Make sure you do not have unsupported LVM Volume Groups:
```
[<ADMIN> ~]$ sudo vgdisplay --noheadings -C -o vg_name | grep -qs -v "[\t ]*VolGroup0[12]$" && echo "You cannot uppgrade."
```
sudo vgdisplay --noheadings -C -o vg_name | grep -qs -v "[\t ]*VolGroup0[12]$" && echo "You cannot uppgrade."
If the output returns "You cannot upgrade.", do not use the upgrade method in the boot menu to upgrade to TufinOS 4.40. Perform a Clean Install.

If you receive no output, proceed with the next step below.
For data nodes only. Make sure your /var/log partition is large enough:
```
[<ADMIN> ~]$ sudo lsblk | grep "MOUNTPOINT\|/var/log$"
```
sudo lsblk | grep "MOUNTPOINT\|/var/log$"
If the output returns a partition size of 400 MB or less, do not perform this upgrade procedure. Perform a Clean Install.

Tufin Appliance Requirements

Check which appliance you have:

[<ADMIN> ~]$ sudo su -
[<ADMIN> ~]# dmidecode -t chassis | grep "Version:"
Version: T800

Supported Tufin Appliances: T-800, T-1200, T-1100XL, T-1100
Older T-1100 and T-1100XL appliances with old RAID controller firmware are not supported.

TufinOS Requirements

USB installations:

For the TufinOS installation, only two USB devices should be connected to the appliance:
- USB keyboard
- TufinOS USB installation thumb drive.
Serial console installations:

If you are installing TufinOS on a gen 4 or gen 3.5 appliance via a serial cable connected to a PC, use the following settings:
- Baud Rate: 57600
- Data bits: 8
- Stop bits: 1
- Parity: None
- Flow Control: None
- Terminal type: VT100

Downloads

Download the TufinOS 4.40 installation package from the Download Center.
- For a Tufin appliance, download the usb image file.
USB installations. Create a USB key for installing TufinOS on appliances.
RMM installations. Extract the TufinOS image from its archive.
```
[<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
```
sudo tar xzvf <FILENAME>.tgz
The run file name includes the release, version, build number, and type of installation.

TufinOS USB file example: TufinOS-4.40-4368238-x86_64-Final.usb.img
RMM installations. Verify the integrity of the TufinOS installation package.
```
[<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.usb.img.sha256
```
sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.usb.img.sha256
The output should return OK

Preliminary Preparations

Verify that your deployment is compatible with TufinOS 4.40.
1. Check your current TufinOS version:
  cat /etc/tufinos-release
  Your TufinOS release appears in the output. If the command is not recognized, you have a non-TufinOS operating system and cannot upgrade using this procedure.
2. Review the compatibility and requirements and supported upgrade paths for TufinOS 4.40 and verify that you can perform the procedure.

Check the cluster health.

On the primary data node, check the following status.
```
[<ADMIN> ~]$ sudo systemctl status k3s
```
sudo systemctl status k3s

In the output under the line k3s.service - Aurora Kubernetes, two lines should appear - Loaded... and Active... similar to the example below. If they appear, continue with the next step, otherwise contact Tufin Support for assistance.

Example output:

[<ADMIN> ~]$ sudo systemctl status k3s
 [root@TufinOS ~]# systemctl status k3s
 Redirecting to /bin/systemctl status k3s.service
 ● k3s.service - Aurora Kubernetes
    Loaded: loaded (/etc/systemd/system/k3s.service; enabled; vendor preset: disabled)
    Active: active (running) since Tue 2021-08-24 17:14:38 IDT; 1 day 18h ago
      Docs: https://k3s.io
   Process: 1241 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
   Process: 1226 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
  Main PID: 1250 (k3s-server)
     Tasks: 1042
    Memory: 2.3G

On the primary data node, check the TOS status.
```
[<ADMIN> ~]$ tos status
```
tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as Ok. If this is not the case, contact Tufin Support.

Example output for a central cluster data node:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Multi Node"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 19%
  - ["node3"]
    Type: "Worker Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 4%

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- ["postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 50/50

Remote Clusters
Number Of Remote Clusters: 2
  - ["RC"]
     Connectivity Status:: "OK:"
  - ["RC2"]
     Connectivity Status:: "OK"

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Example output for a remote cluster data node:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.0.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Single Node"

Nodes
  Nodes:
  - ["node2"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 19%
  
registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["mongodb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"

Application
Application Services Status OK
Running services 16/16

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Backup your TOS data. This needs to be performed for all primary data nodes - the central cluster and remote collector clusters.
If you are going to perform this procedure over multiple maintenance periods, create a new backup each time.
1. Create the backup using tos backup create:
2. You can check the backup creation status using tos backup status, which shows the status of backups in progress. Wait until completion before continuing.
3. Run the following command to display the list of backups saved on the node:
  [<ADMIN> ~]$ sudo tos backup list
  
  sudo tos backup list
4. Check that your backup file appears in the list, and that the status is "Completed".
5. If your backup files are saved locally:
  1. Run sudo tos backup export to save your backup file from a TOS backup directory as a single .gzip file. If there are other backups present, they will be included as well.
  2. Transfer the exported .gzip file to a safe, remote location.
    
    Make sure you have the location of your backups safely documented and accessible, including credentials needed to access them, for recovery when needed.
  After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:
  [Target location]$ tar tzvf <filename>
  
  tar tzvf <file name>
Remote Collector clusters. If you are currently upgrading the central cluster, make sure all the Remote Collector clusters are connected.
On the Central cluster primary data node run:
[<ADMIN> ~]$ sudo tos cluster list
sudo tos cluster list
The output shows all connected clusters.

Example output:
$ sudo tos cluster list NAME ID IP TYPE Central 1 master RC1 2 192.168.75.156 data_collector
If you are running a multi-node cluster, get a list of your nodes.
```
[<ADMIN> ~]$ sudo tos cluster node list
```
sudo tos cluster node list
Save your TufinOS Configuration (repeat this step for each node).

The TOS backup does not include your TufinOS configurations. Therefore, before you start create a list of the data you want to keep and save it outside the machine you are upgrading.

After the upgrade completion, re-configure all your backed-up data before restoring TOS Aurora.

For more information on what to information to save, see Save Your TufinOS Configuration:

If you have any questions about the upgrade, contact the Tufin support team. Do not attempt the upgrade if you are unsure about any part of it.

Upgrade Worker Nodes

Repeat these steps for each worker node.

Remove the node from the cluster

Identify the worker node you want to remove.

If the node is in a healthy state:

On the primary data node, run:

[<ADMIN> ~]$ sudo tos cluster node remove <node>

sudo tos cluster node remove <node>

Parameters

Parameter	Description	Required/Optional
`<node>`	Hostname of the node to remove.	Required

On completion, a new command string is displayed, which you will need to run on the node you want to remove within 30 minutes. If the allocated time expires, you will need to repeat the current step.

Log in to the CLI of the node to be removed.
On the node to be removed, run the command string displayed on completion of the command above. On completion, all TOS-related directories and data will be deleted from the node, therefore make sure you run it on the correct node. Running the command on the wrong node will destroy the cluster.

All TOS-related directories will be deleted from the node.

If the node you want to remove is not in a healthy state:

On the primary data node, run:

[<ADMIN> ~]$ sudo tos cluster node remove <node> --force

sudo tos cluster node remove <node> --force

Parameters

Parameter	Description	Required/Optional
`<node>`	Hostname address of the node to remove.	Required

Verify that the node has been removed by again running sudo tos cluster node list.

Install TufinOS
1. USB Installation
  1. Insert the USB drive into the appliance and reboot the appliance.
  2. Select TufinOS 4.40 installation for TOS Aurora.
  3. Select one of the following options:
  4. When prompted, select Yes.
  5. When the installation is complete, reboot the appliance.
  6. When the BIOS POST starts, remove the USB thumb drive with the TufinOS installation image.
  7. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:
    
    username: tufin-admin
    
    password: admin
  8. The system requires that you change the password on the first login.
2. RMM Installation - Gen 3.5
  1. On your computer, open Configure Java > Security.
  2. Click Edit Site List and add a URL with the RMM IP address. For example:
    
    HTTPS://<rmm_ip>
  3. Open a browser, enter the RMM IP address and enter username and password to log in.
  4. On the Remote Control tab, click Launch Console, accept any warning messages until the KVM window appears.
  5. In the KVM window, go to Device > Redirect Floppy/USB Key Image, select the image file, and click Open.
  6. Select TufinOS 4.40 installation for TOS Aurora.
  7. Select one of the following options:
  8. Install 4.40 via KVM
  9. When prompted, select Yes.
  10. When the installation is complete, reboot the appliance.
  11. When the BIOS POST starts, detach the TufinOS installation image. Go to Device, and clear Redirect Floppy/USB Key Image
  12. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:
    
    username:tufin-admin
    
    password: admin
  13. The system requires that you change the password on the first login.
3. RMM Installation - Gen 4
  1. Open a browser, enter the RMM IP address and enter username and password to log in.
  2. On the System tab, in the Remote Console Preview area, click on the black area and accept any warning messages until the KVM window appears.
  3. In the KVM window go to Virtual Media > Virtual Storage. click on HD Image in Logical Drive Type and click Open Image.
  4. Select the image file, and click Open.
  5. Click Plug in > OK and confirm that the connection status is OK.
  6. Reboot the appliance.
  7. Select TufinOS 4.40 installation for TOS Aurora.
  8. Select Install 4.40 via KVM
  9. When prompted, select Yes.
  10. When the installation is complete, reboot the appliance.
  11. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:
    
    username:tufin-admin
    
    password: admin
  12. The system requires that you change the password on the first login.
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
Add the worker node back to the cluster.
1. On the primary data node run:
  [<ADMIN> ~]$ sudo tos cluster node add --role=<TYPE>
  
  sudo tos cluster node add --role=<TYPE>
  where <TYPE> is worker or data, depending on the type of node you want to add.
  
  On completion, a new command string is displayed, which you will need to run on the new node within one hour. If the allocated time expires, you will need to repeat the current step.
2. Log in to the CLI of the server to be added as a new node in the cluster.
3. On the new node, run the command string displayed previously on the primary data node in step 2 above. If the allocated time has expired, you will need to start from the beginning.
4. Verify that the node was added by running sudo tos cluster node list on the primary data node.

Check the cluster status.

On the primary data node, check the TOS status.
```
[<ADMIN> ~]$ tos status
```
tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as Ok. If this is not the case, contact Tufin Support.

Example output for a central cluster data node:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Multi Node"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 19%
  - ["node3"]
    Type: "Worker Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 4%

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- ["postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 50/50

Remote Clusters
Number Of Remote Clusters: 2
  - ["RC"]
     Connectivity Status:: "OK:"
  - ["RC2"]
     Connectivity Status:: "OK"

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Example output for a remote cluster data node:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.0.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Single Node"

Nodes
  Nodes:
  - ["node2"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 19%
  
registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["mongodb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"

Application
Application Services Status OK
Running services 16/16

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Upgrade the Data Node

Backup your TOS data. This needs to be performed for all primary data nodes - the central cluster and remote collector clusters.
If you are going to perform this procedure over multiple maintenance periods, create a new backup each time.
1. Create the backup using tos backup create:
2. You can check the backup creation status using tos backup status, which shows the status of backups in progress. Wait until completion before continuing.
3. Run the following command to display the list of backups saved on the node:
  [<ADMIN> ~]$ sudo tos backup list
  
  sudo tos backup list
4. Check that your backup file appears in the list, and that the status is "Completed".
5. If your backup files are saved locally:
  1. Run sudo tos backup export to save your backup file from a TOS backup directory as a single .gzip file. If there are other backups present, they will be included as well.
  2. Transfer the exported .gzip file to a safe, remote location.
    
    Make sure you have the location of your backups safely documented and accessible, including credentials needed to access them, for recovery when needed.
  After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:
  [Target location]$ tar tzvf <filename>
  
  tar tzvf <file name>
Upgrade TufinOS
1. USB Upgrade
  1. Insert the USB drive into the appliance and reboot the appliance.
  2. Select TufinOS 3 Upgrade for TOS Aurora.
  3. Select one of the following options:
    
    Upgrade from TufinOS 3 to TufinOS 4.40 via KVM
    
    Upgrade from TufinOS 3 to TufinOS 4.40 via serial - The serial option is only relevant if you are connecting a serial cable to the appliance, and you have a serial console configured to connect to the appliance.
  4. When prompted, select Yes.
  5. When the installation is complete, reboot the appliance.
  6. When the BIOS POST starts, remove the USB thumb drive with the TufinOS installation image.
  7. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:
    
    username:tufin-admin
    
    password: admin
  8. The system requires that you change the password on the first login.
2. RMM Upgrade - Gen 3.5
  1. On your computer, open Configure Java > Security.
  2. Click Edit Site List and add a URL with the RMM IP address. For example:
    
    HTTPS://<rmm_ip>
  3. Open a browser, enter the RMM IP address and enter username and password to log in.
  4. On the Remote Control tab, click Launch Console, accept any warning messages until the KVM window appears.
  5. In the KVM window, go to Device > Redirect Floppy/USB Key Image, select the image file, and click Open.
  6. The TufinOS 4.40 installer launches.
  7. Select TufinOS 3 Upgrade for TOS Aurora.
  8. Select Upgrade from TufinOS 3 to TufinOS 4.40 via KVM.
  9. When prompted, select Yes.
  10. When the installation is complete, reboot the appliance.
  11. When the BIOS POST starts, detach the TufinOS installation image. Go to Device, and clear Redirect Floppy/USB Key Image
  12. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:
    
    username:tufin-admin
    
    password: admin
  13. The system requires that you change the password on the first login.
3. RMM Upgrade - Gen 4
  1. Open a browser, enter the RMM IP address and enter username and password to log in.
  2. On the System tab, in the Remote Console Preview area, click on the black area and accept any warning messages until the KVM window appears.
  3. In the KVM window go to Virtual Media > Virtual Storage. click on HD Image in Logical Drive Type and click Open Image.
  4. Select the image file, and click Open.
  5. Click Plug in > OK and confirm that the connection status is OK.
  6. Reboot the appliance.
  7. The TufinOS 4.40 installer launches.
  8. Select TufinOS 3 Upgrade for TOS Aurora.
  9. Select Upgrade from TufinOS 3 to TufinOS 4.40 via KVM.
  10. When prompted, select Yes.
  11. When the installation is complete, reboot the appliance.
  12. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:
    
    username:tufin-admin
    
    password: admin
  13. The system requires that you change the password on the first login.
Set up the node.
1. Restore the TufinOS configuration data that you saved before beginning the upgrade procedure (see Save Your TufinOS Configuration). In general we recommend that the new server configurations be similar to the old configurations.
Reinstall TOS
1. Run the tmux command:
  [<ADMIN> ~]$ tmux new-session -s TOS-Install
  
  tmux new-session -s TOS-Install
2. On the target machine, create the directory /opt/misc/, if it does not exist already.
3. Transfer the run file (already downloaded) to the /opt/misc/ directory.
4. Go to /opt/misc/
5. Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.
6. Extract the TOS run file from its archive.
  [<ADMIN> ~]$ tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
  
  tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
7. Run the TOS Aurora run file.
  [<ADMIN> ~]$ cd /opt/misc/
  
  cd /opt/misc/
  [<ADMIN> ~]$ sudo sh <runfile>
  
  sudo sh <runfile>
8. Run the install command, replacing the parameters:
  - <PRIMARY> - The VIP you will use to access TOS Aurora as described in Prerequisites
  - <SERVICE-CIDR> - The CIDR you want to use for the Kubernetes service network, as described in Prerequisites
  - <PODS-CIDR> Optional. The CIDR you want to use for the Kubernetes pods network, as described in Prerequisites. The default pods network is 10.244.0.0/16
  - <MODULE-TYPE> - One of the following values:
    
    ST for SecureTrack only
    
    ST, SC for both SecureTrack and SecureChange/SecureApp
    
    RC for a remote collector
  - <LOAD> - small, medium or large, as provided by your account team, based on your sizing calculation.
  There is also an option to do a dry run, to verify the procedure in advance by going through all the stages without installing anything. To do a dry run, add the parameter --dry-run to the install command.
  [<ADMIN> ~]$ sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d
  
  sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d
  Examples:
  
  $ sudo tos install --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium -d
  
  $ sudo tos install --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large -d
9. The EULA is displayed. After reading, enter q to exit the document. If you accept the EULA, enter y and wait until the command completes.
1. You can now safely exit the CLI tmux session:
  [<ADMIN> ~]# exit
  
  exit
2. If the installation was for a central (main) cluster, log into TOS Aurora at https://<VIP> in your browser with user=admin, password=admin. If a warning message is shown regarding the site security certificate, 'accept the risk' and continue to the site. You will be prompted to set a new password.
  
  If the installation was for a remote collector, connect it to the central cluster.
Restore TOS
If you are restoring from external storage:
1. Connect to the external backup storage using sudo tos backup storage set. with the <LOCATION> as external.
2. Run sudo tos backup list to list all the backups and identify the one that you want to restore.
3. Run sudo tos restore specifying the desired backup. We recommend that you select the most recent backup. On completion, your data will have been restored.
If you are restoring from a backup that was saved locally and transferred to a safe, external location:
1. Copy the export file (gzip format) from the remote location to your primary data node.
2. Run sudo tos backup import, specifying the full path of the export file, to extract all the backups from the export file to the TOS backup directory.
3. Run sudo tos backup list to list all the backups and identify the one that you want to restore.
4. Run sudo tos restore specifying the desired backup. We recommend that you select the most recent backup. On completion, your data will have been restored.
Important. After you restore TOS to a different or changed production environment, such as a new appliance or VM, or an in-place machine following an operating system upgrade, you must upload the license file. If you are restoring to a lab environment, there is no need to upload the license file. TOS will be fully functional and in 'lab mode' . TOS will then automatically shut down after 30 days.

Check the cluster status.

On the primary data node, check the TOS status.
```
[<ADMIN> ~]$ tos status
```
tos status
In the output, check if the System Status is Ok and all the items listed under Components appear as Ok. If this is not the case, contact Tufin Support.

Example output for a central cluster data node:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Multi Node"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 19%
  - ["node3"]
    Type: "Worker Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 4%

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- ["postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 50/50

Remote Clusters
Number Of Remote Clusters: 2
  - ["RC"]
     Connectivity Status:: "OK:"
  - ["RC2"]
     Connectivity Status:: "OK"

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Example output for a remote cluster data node:

[<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.0.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Single Node"

Nodes
  Nodes:
  - ["node2"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 19%
  
registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["mongodb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"

Application
Application Services Status OK
Running services 16/16

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Reinstall Tufin Extensions and PS solutions
1. Reinstall all extensions. See the Extensions Knowledge Center.
2. Reinstall all Professional Services solutions and reconfigure the cron jobs.