Prisma Cloud Console is backwards compatible with up to two (n-2) major releases back (including all minor versions) for the following:

• All types of Defenders.
• Twistcli/Jenkins plugin.

When using projects, the same versions of master and tenant consoles are required.

Upgrade and Notifications

The currently installed version of the Console is displayed in the bell menu. The Console notifies you when new versions of Prisma Cloud are available, and these notifications are displayed in the top right corner of the Console.

Figure 1:  Version_PaloAltoNetworks

The versions of your deployed Defenders are listed under Manage > Defenders > Defenders: Deployed.

Figure 2:  Defenders are listed under Manage > Defenders > Defenders: Deployed_PaloAltoNetworks

Upgrade Process

The release images for Console and Defender are built from the UBI8-minimal base image, the upgrade is a full container image upgrade and the old container is replaced with a new container. You can upgrade the Console without losing any of your data or configurations because Prisma Cloud stores state information outside the container, all your rules and settings are immediately available to the upgraded Prisma Cloud containers.

Prisma Cloud state information is stored in a database in the location specified by DATA_FOLDER, which is defined in twistlock.cfg. By default, the database is located in the /var/lib/twistlock path.

The steps in the upgrade process are:

1. Upgrade Console.
   When upgrading Console, if you are on two versions previous (n-2) to the latest (n), you must first upgrade to the most recent (n-1) version, and then upgrade to the latest version.
   If you are on (n-1) version, then you can upgrade to the latest (n) version.
2. Go to Manage > Defenders > Defenders: Deployed and filter by Upgrade Required to upgrade all the listed Defenders.
   After you upgrade Console, upgrade Defenders that have reached the end of the support lifecycle.  You must first: 
1. Validate that all deployed Defenders have been upgraded.
2. Upgrade the Jenkins plugin, if required.
   To download the latest version of all other Prisma Cloud Compute components (such as the Jenkins plugin), either go to Manage > System > Utilities to download the latest versions or retrieve them using the API.

Figure 3: Go to Manage > System > Utilities to download the latest versions_PaloAltoNetworks

Upgrading Console when Using Projects

When you have one or more tenant projects, upgrade all Supervisor Consoles before upgrading the Central Console. During the upgrade process, there may be times when the supervisors appear disconnected. This is normal because supervisors are disconnected while the upgrade occurs and the central console will try to reestablish connectivity every 10 minutes. Within 10 minutes of upgrading all supervisors and the Central Console, all supervisors should appear healthy.

Except during the upgrade process, the Central Console and all Supervisor Consoles must run the same product version. Having different product versions is not supported and may lead to instability and connectivity problems.

Upgrade each Supervisor and then the Central Console using the appropriate procedure:

• Console - Onebox
• Console - Kubernetes
• Console - OpenShift
• Console - Helm
• Console - Amazon ECS

Upgrade Onebox

Upgrade Prisma Cloud Onebox. First upgrade Console. Console will then automatically upgrade all deployed Defenders for you.

If Console fails to upgrade one or more Defenders, manually upgrade your Defenders.

You must manually upgrade App-Embedded Defenders.

Upgrading Console

To upgrade Console, rerun the install script for the latest version of Prisma Cloud. Use this method for any Console that was originally installed with the twistlock.sh script.

1. Download the latest recommended release.
2. Unpack the downloaded tarball.
   Optional: you may wish to unpack the tarball to a different folder than any previous tarballs.
   $ mkdir twistlock_<VERSION> $ tar -xzf prisma_cloud_compute_edition_<VERSION>.tar.gz -C twistlock_<VERSION>/
   The setup package contains updated versions of twistlock.sh and twistlock.cfg.
3. Check the version of Prisma Cloud that will be installed:
   $ grep DOCKER_TWISTLOCK_TAG twistlock.cfg
4. Upgrade Prisma Cloud while retaining your current data and configs by using the -j option. The -j option merges your current configuration with any new configuration settings in the new version of the software.
   You must use the same install target in your upgrade as your original installation. There are two install targets: onebox and console, where onebox installs both Console and Defender onto a host and console just installs Console.
   To upgrade your onebox install, run:
   $ sudo ./twistlock.sh -syj onebox
   To upgrade your console install, run:
   $ sudo ./twistlock.sh -syj console
5. Go to Manage > Defenders > Manage and validate that Console has upgraded your Defenders.

Kubernetes

Upgrading Prisma Cloud running in your Kubernetes cluster requires the following steps.

1. Upgrade the Prisma Cloud Console. Only required for the Prisma Cloud Compute Edition (self-hosted).
2. Upgrade your Defenders deployed in your cluster.

Upgrading Console

Since Prisma Cloud objects can be specified with configuration files, we recommend declarative object management for both install and upgrade.

You should have kept good notes when initially installing Prisma Cloud. The configuration options set in twistlock.cfg and the parameters passed to twistcli in the initial install are used to generate working configurations for the upgrade.

Prerequisites: You know how you initially installed Prisma Cloud, including all options set in twistcli.cfg and parameters passed to twistcli.

1. Download the latest recommended release to the host where you manage your cluster with kubectl.
2. If you customized twistlock.cfg, port those changes forward to twistlock.cfg in the latest release. Otherwise, proceed to the next step.
3. Generate new YAML configuration file for the latest version of Prisma Cloud. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default basic install.
   $ <PLATFORM>/twistcli console export kubernetes --service-type LoadBalancer
4. Update the Prisma Cloud objects.
   $ kubectl apply -f twistlock_console.yaml
5. To confirm the upgrade, click on the bell icon to check the version.

Figure 4: Confirm current version_PaloAltoNetworks

OpenShift

Upgrade Prisma Cloud running in your OpenShift cluster.

First upgrade Console. Console will then automatically upgrade all deployed Defenders for you.

If you’ve disabled Defender auto-upgrade or if Console fails to upgrade one or more Defenders, manually upgrade your Defenders.

You must manually upgrade App-Embedded Defenders.

Upgrading Console

1. Download the latest recommended release to the host where you manage your cluster with oc.
2. If you customized twistlock.cfg, port those changes forward to twistlock.cfg in the latest release. Otherwise, proceed to the next step.
3. (Optional) If you’re storing Twistlock images in the cluster’s internal registry, pull the latest images from Twistlock’s cloud registry and push them there. Otherwise, proceed to the next step.
1. Pull the latest Prisma Cloud images using URL auth.
   $ sudo docker pull registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/defender:defender_<VERSION> $ sudo docker pull registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/console:console_<VERSION>
2. Retag the images so that they can be pushed to your
   $ sudo docker tag \ registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/defender:defender_<VERSION> \ docker-registry.default.svc:5000/twistlock/private:defender_<VERSION> $ sudo docker tag \ registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/console:console_<VERSION> \ docker-registry.default.svc:5000/twistlock/private:console_<VERSION>
3. Push the Prisma Cloud images to your cluster’s internal registry.
   $ sudo docker push docker-registry.default.svc:5000/twistlock/private:defender_<VERSION> $ sudo docker push docker-registry.default.svc:5000/twistlock/private:console_<VERSION>
4. Generate new YAML configuration file for the latest version of Twistlock. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default basic install.
   $ <PLATFORM>/twistcli console export openshift \ --persistent-volume-labels "app-volume=twistlock-console" \ --service-type "ClusterIP"
   If you want to pull the image from the internal registry:
   $ <PLATFORM>/twistcli console export openshift \ --persistent-volume-labels "app-volume=twistlock-console" \ --image-name "docker-registry.default.svc:5000/twistlock/private:console_<VERSION>" \ --service-type "ClusterIP"
   For other command variations, see the OpenShift 4 deployment guide.
5. Update the Twistlock objects.
   $ oc apply -f twistlock_console.yaml
6. To confirm the upgrade, click on the bell icon to check the version. (see figure 4)

Helm Charts

If you installed Prisma Cloud into your Kubernetes or OpenShift cluster with Helm charts, you can upgrade with the helm upgrade command.

First upgrade Console. Console will then automatically upgrade all deployed Defenders for you.

If you’ve disabled Defender auto-upgrade or if Console fails to upgrade one or more Defenders, manually upgrade your Defenders.

You must manually upgrade App-Embedded Defenders.

Upgrading Console

Generate an updated Helm chart for Console, and then upgrade to it.

1. Download the latest recommended release.
2. Create an updated Console Helm chart.
   $ <PLATFORM>/twistcli console export kubernetes \ --service-type LoadBalancer \ --helm
3. Install the updated chart.
   $ helm upgrade twistlock-console \ --namespace twistlock \ --recreate-pods \ ./twistlock-console-helm.tar.gz
4. To confirm the upgrade, click on the bell icon to check the version. (see figure 4)

Amazon ECS

Upgrade Prisma Cloud running on Amazon ECS.

First upgrade Console. Then, upgrade your Defenders.

When you upgrade Defenders, for any unsuccessful upgrades you can review the error messages in Manage > Defenders > Manage. And, if you’ve created an alert for Defender health events, you also receive a notification to the configured alert provider.

Upgrade Console

To upgrade Console, update the service with a new task definition that points to the latest image.

This procedure assumes you’re using images from Prisma Cloud’s registry. If you’re using your own private registry, push the latest Console image there first.

Copy the Prisma Cloud Config File Into Place

1. Download the latest recommended release to your local machine.
   $ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE_LINK>
2. Unpack the Prisma Cloud release tarball.
   $ mkdir twistlock $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
3. Upload the twistlock.cfg files to the host that runs Console.
   $ scp twistlock.cfg <ECS_INFRA_NODE>:/twistlock_console/var/lib/twistlock-config

Create a new revision of the task definition

1. Log into the Amazon ECS console.
2. In the left menu, click Task Definitions.
3. Check the box for the Prisma Cloud Console task definition, and click Create new revision.
4. Scroll to the bottom of the page and click Configure via JSON.
1. Update the image field to point to the latest Console image.
   For example, if you were upgrading from Prisma Cloud version 2.4.88 to 2.4.95, simply change the version string in the image tag.
   "image": "registry-auth.twistlock.com/tw_<accesstoken>/twistlock/console:console_2_4_95"
2. Click Save.
5. Click Create.

Update the Console service

1. In the left menu of the Amazon ECS console, click Clusters.
2. Click on your cluster.
3. Select the Services tab.
4. Check the box next the Console service, and click Update.
5. In Task Definition, select the version of the task definition that points to the latest Console image.
6. Validate that Cluster, Service name, and Number of tasks are correct. These values are set based on the values for the currently running task, so the defaults should be correct. The number of tasks must be 1.
7. Set Minimum healthy percent to 0.
   This lets ECS safely stop the single Console container so that it can start an updated Console container.
8. Set Maximum percent to 100.
9. Click Next.
10. In the Configure network page, accept the defaults, and click Next.
11. In the Set Auto Scaling page, accept the defaults, and click Next.
12. Click Update Service.
    It takes a few moments for the old Console service to be stopped, and for the new service to be started. Open Console, and validate that the UI shows new version number in the bottom left corner.
13. Go to Manage > Defenders > Manage and validate that Console has upgraded your Defenders.
    If Console fails to upgrade any Defender, upgrade it manually.

Upgrade the Single Container Defenders

The Console user interface lets you upgrade all Defenders in a single shot. This method minimizes the effort required to upgrade all your deployed Defenders.

Alternatively, you can select which Defenders to upgrade. Use this method when you have different maintenance windows for different deployments. For example, you might have an open window on Tuesday to upgrade thirty Defenders in your development environment, but no available window until Saturday to upgrade the remaining twenty Defenders in your production environment. In order to give you sufficient time to upgrade your environment, older versions of Defender can coexist with the latest version of Defender and the latest version of Console.

Prerequisites: You have already upgraded Console.

1. Open Console.
2. On Manage > Defender > Manage and select Defenders to see a list of all your deployed stand-alone Container Defenders.
3. Upgrade your stand-alone Defenders. You can either:
• Select Upgrade all to upgrade all Defenders at the same time.
• On Actions select Upgrade corresponding to individual Defenders to upgrade a subset of your Defenders.
  The Restart and Decommission buttons are not available for DaemonSet Defenders. They are only available for stand-alone Defenders.

Upgrade Defender DaemonSets

Upgrade the Defender DaemonSets in your environment.

Upgrade the Defender DaemonSets with Twistcli ({orchestrator-title})

Delete the Defender DaemonSet, then rerun the original install procedure.

Prerequisites: You know all the parameters passed to twistcli when you initially deployed the Defender DaemonSet. You’ll need them to recreate a working configuration file for your environment.

1. Delete the Defender DaemonSet.
   $ {orchestrator-cmd} -n twistlock delete ds twistlock-defender-ds $ {orchestrator-cmd} -n twistlock delete sa twistlock-service $ {orchestrator-cmd} -n twistlock delete secret twistlock-secrets
2. Determine the Console service’s external IP address.
   $ {orchestrator-cmd} get service -o wide -n twistlock
3. Generate a defender.yaml file. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default install.
   The following command connects to Console’s API (specified in --address) as user <ADMIN> (specified in --user), and retrieves a Defender DaemonSet YAML config file according to the configuration options passed to twistcli. In this command, there is just a single mandatory configuration option. The --cluster_address option specifies the address Defender uses to connect to Console, and the value is encoded in the DaemonSet YAML file.
• <PLATFORM> can be linux or osx.
• <ADMIN_USER> is the name of an admin user.
4. Deploy the Defender DaemonSet.
   $ {orchestrator-cmd} create -f defender.yaml
5. Open a browser, navigate to Console, then go to Manage > Defenders > Manage to see a list of deployed Defenders.

Upgrade the Defender DaemonSets with Twistcli ({orchestrator-title})

Delete the Defender DaemonSet, then rerun the original install procedure.

Prerequisites: You know all the parameters passed to twistcli when you initially deployed the Defender DaemonSet. You’ll need them to recreate a working configuration file for your environment.

1. Delete the Defender DaemonSet.
   $ {orchestrator-cmd} -n twistlock delete ds twistlock-defender-ds $ {orchestrator-cmd} -n twistlock delete sa twistlock-service $ {orchestrator-cmd} -n twistlock delete secret twistlock-secrets
2. Determine the Console service’s external IP address.
   $ {orchestrator-cmd} get service -o wide -n twistlock
3. Generate a defender.yaml file. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default install.
   The following command connects to Console’s API (specified in --address) as user <ADMIN> (specified in --user), and retrieves a Defender DaemonSet YAML config file according to the configuration options passed to twistcli. In this command, there is just a single mandatory configuration option. The --cluster_address option specifies the address Defender uses to connect to Console, and the value is encoded in the DaemonSet YAML file.
• <PLATFORM> can be linux or osx.
• <ADMIN_USER> is the name of an admin user.
4. Deploy the Defender DaemonSet.
   $ {orchestrator-cmd} create -f defender.yaml
5. Open a browser, navigate to Console, then go to Manage > Defenders > Manage to see a list of deployed Defenders.

Upgrade the Defender DaemonSets from Console

If you can’t access your cluster with kubectl or oc, then you can upgrade Defender DaemonSets directly from the Console UI.

Prerequisites: You’ve created a xref:~/authentication/credentials-store/kubernetes-credentials.adoc[kubeconfig credential] for your cluster so that Prisma Cloud can access it to upgrade the Defender DaemonSet.

1. Log into Prisma Cloud Console.
2. Go to Manage > Defenders > Manage.
3. Click DaemonSets.
4. For each cluster in the table, click Actions > Upgrade.
   The table shows a count of deployed Defenders and their new version number.

Upgrade Defender DaemonSets (Helm)

Generate an updated Helm chart for the Defender DaemonSet, and then upgrade to it.

1. Create an updated Defender DaemonSet Helm chart.
   $ ./twistcli defender export kubernetes \ --address <PATH_TO_CONSOLE> \ --user <ADMIN_USER> \ --cluster-address <REGION_CODE>.cloud.twistlock.com \ --helm
   Get the value for "--address" from "Compute > Manage > System > Utilities > Path to Console".
   The value for "--cluster-address" will be only the region, with .cloud.twistlock.com appended.
   Example command for the app4, us-west1 stack:
   ./twistcli defender export kubernetes \ --address https://us-west1.cloud.twistlock.com/us-4-xxxxxx \ --user serviceAccountUsername \ --cluster-address us-west1.cloud.twistlock.com \ --helm
   For Prisma Cloud Enterprise Edition, the user is either an access key, or a service account username.
2. Install the updated chart.
   $ helm upgrade twistlock-defender-ds \ --namespace twistlock \ --recreate-pods ./twistlock-defender-helm.tar.gz 

Reference

Upgrade Process (Self-Hosted)

Compute Releases

Declarative Configuration

https://aws.amazon.com/console/