ZPC Upgrade Guide

Follow this guide to upgrade your ZPC instance to the latest version. This guide support ZPC version 6.0 and later.

ZIRO recommends upgrading your OS against vulnerabilities every quarters. This can be done after upgrading your ZPC application although keep in mind that downtimes may occurs during the upgrade. To learn how to update your OS against the latest vulnerabilities, review the Update OS Against Latest Vulnerabilities Section at the end of this document.

WHAT YOU WILL NEED

Tools

  • FTP Client (WinSCP, FileZilla, etc)
    This will be used to move the upgrade file(s) onto the ZPC machine.

  • SSH Client (Putty, SecureCRT, etc)
    This will be used to connect to the ZPC machine via the stack8-console and perform the upgrade.

Credentials to your s8admin account

This is the account you will use to connect to the stack8-console via SSH. The default password for the s8admin account is $tacK8, unless your team changed it during the initial deployment of the ZPC OVA.

Upgrade files (links to the latest version are available from the ZIRO Customer Portal)

  • Latest version of stack8-console

  • Latest version of ZPC

DOWNLOAD UPGRADE FILES PROVIDED BY EMAIL

In order to upgrade ZPC, you will use the stack8-console built into the ZPC machine. The stack8-console also receives periodic updates and needs to be kept up to date.

The stack8-console version is visible immediately after logging into the machine.

Screen capture of the stack8-console.

Get in touch with our Support team to receive the links to the latest versions of both ZPC and the stack8-console upgrade files. Please download them to your local machine before proceeding to step 3.

CONNECT VIA SFTP TO UPLOAD FILES TO THE ZPC MACHINE (VIDEO)

 1. Open your chosen SFTP client and connect to ZPC using your s8admin credentials:

  • Username: s8admin

  • Default password: $tacK8 (this password should have been changed during the initial deployment of your ZPC machine) 

2. Navigate to the ~/deb-repo folder 

3. Upload the files to the folder

The upgrade will not be possible unless the files are uploaded to the correct folder!

CONNECT VIA SSH TO UPGRADE THE STACK8-CONSOLE (VIDEO)

 

  1. Open your chosen SSH client and connect to ZPC using your s8admin credentials:

  • Username: s8admin

  • Default password: $tacK8 (this password should have been changed during the initial deployment of your ZPC machine) 

2. Select the Install/Upgrade Applications menu item

3. Select the stack8-console file and version which matches the file you uploaded in Step “Connect via SFTP to Upload Files to the ZPC Machine”.

You will be logged out of the machine once the upgrade completes.

CONNECT VIA SSH TO UPGRADE ZPC (VIDEO)

  1. Open your chosen SSH client and connect to ZPC using your s8admin credentials:

  • Username: s8admin

  • Default password: $tacK8 (this password should have been changed during the initial deployment of your ZPC machine)  

2. Select the Install/Upgrade Applications menu item

3. Select the smacs file and version which matches the file you uploaded in Step 3.

4. You will receive the following prompt:  “Which instance of SMACS do you want to upgrade?”

  • Select the inactive side which is not yet receiving your production traffic.

The upgrade will take a few minutes.  Wait to receive confirmation that the upgrade is complete.

FLIP YOUR PRODUCTION TRAFFIC (VIDEO)

Connect to the inactive and upgraded side of your ZPC machine by using the relevant port (8443 or 8444) visible from the Routing & Traffic Flip section of the stack8-console.(i.e. zpc.mydomain.com:8443)

In the above example, sideA is still running on the old version and receiving production traffic (indicated by the green checkmark), while sideB is upgraded to the newer version but not yet receiving production traffic.  In this example, entering 172.20.34.21:8444 into your browser will bring you to the inactive side of the machine.

  1. Open your chosen SSH client and connect to ZPC using your s8admin credentials:

    1. Username: s8admin

    2. Default password: $tacK8 (this password should have been changed during the initial deployment of your ZPC machine)  

  2. Select the Routing & Traffic Flip menu item and select smacs.

  3. You will be presented the routing table and receive the following prompt: 

    1. “Would you like to flip your production traffic?” 
      Type “y” and hit ENTER key.

  4. You will receive a 2nd prompt: 

    1. “Would you like to import the LIVE side application settings to other side (i.e. configurations, audits, etc...) before performing the traffic flip?”
      Type “y” and hit ENTER key

 Now wait for the import of the configurations and traffic flip to complete. 

UPDATE OS AGAINST LATEST VULNERABILITIES

What you will need:

  • SSH Client (Putty, SecureCRT, etc)
    This will be used to connect to the ZPC machine via the stack8-console and perform the upgrade.

  • Stack8-console version 3.0.2 or newer
    Although the feature was available in earlier releases of Stack8-console, we recommend upgrading to at least version 3.0.2 to address some issues with this feature and for added quality of life improvements.

  • ZPC must be running on the new OS
    If you are not sure which version of the OS you are running, check the banner at the top of Stack8-console. The version of the OS should appear as long as you have updated the console to version 3.0.2 or newer.

  • ZPC must be able to reach Internet over port 80
    This will allow ZPC to reach Ubuntu’s file servers to download the latest patches. Failing to open port 80 to the internet during the upgrade may cause the upgrade process to fail.

How to upgrade the OS

  1. Open your chosen SSH client and connect to ZPC using your s8admin credentials:

    1. Username: s8admin

    2. Default password: $tacK8 (this password should have been changed during the initial deployment of your ZPC machine) 

  2. Select the Update OS Security Vulnerabilities menu item and type “Y” then ENTER when ready to start

  3. The server should now connect to Ubuntu’s remote download servers and update its softwares.

  4. Wait until the process is over, this could take a while (up to two hours in some rare instances)