はじめに

本稿ではSEG (Secure Email Gateway: 旧称ESA)をCLIからアップグレードする方法をご紹介します。AsyncOS 14.2.1の動作を基に執筆しています。SEGのバージョンによっては動作が異なる場合があります。

また、ここで紹介しているのはアップグレードの一例です。それぞれのお客様の要件に合わせて、ここに記載されている以外の手順で実施することができるケースもあります。

設定のバックアップ

SEGの設定ファイルをローカルにバックアップしておきます。

SEG: 設定ファイルの取得方法

注: リストア目的の設定ファイルは、パスフレーズを「マスク」せず、「暗号化」したものを取得します。パスフレーズをマスクした設定ファイルではリストアを行うことができません。

Safelists/Blocklistsの機能を利用している場合は、そちらもバックアップしておきます。

ESA Safelists/Blocklists Backup Procedure

イメージのダウンロード

本稿ではDOWNLOADオプションを選択して、イメージをあらかじめダウンロードしておき、実際のアップグレードは後ほど実施することとします。ダウンロードとインストールを続けて進める場合は、DOWNLOADINSTALLオプションを選択することも可能です。

seg.example.com> upgrade

Are you sure you want to proceed with upgrade? [N]> y

Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
[]> download

Upgrades available.
1. AsyncOS 14.2.1 build 020 upgrade For Email, 2022-11-22,This release is a 
Maintenance Deployment Refresh 
2. AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This release is a 
Maintenance Deployment 
[1]> 2

Download of AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This release
is a Maintenance Deployment has started in background.

ダウンロードの進捗確認

ダウンロードの状況は、DOWNLOADSTATUSオプションで確認することができます。

seg.example.com> upgrade

Are you sure you want to proceed with upgrade? [N]> y

Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- DOWNLOADSTATUS - Shows the download status
- CANCELDOWNLOAD - Cancel ongoing download(AsyncOS 14.2.2 build 004 upgrade For
Email, 2023-02-16,This release is a Maintenance Deployment).
[]> downloadstatus

Download of upgrade image (AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment) is in progress (40%
complete).

 ダウンロードが完了するとINSTALLオプションが表示されます。

seg.example.com> upgrade

Are you sure you want to proceed with upgrade? [N]> y

Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- INSTALL - AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This
release is a Maintenance Deployment (needs reboot).
- DELETE - Delete downloaded image(AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment).
[]>

イメージのインストール

アップグレードを実施する前にメールの受信を停止します。

seg.example.com> suspendlistener

Choose the listener(s) you wish to suspend.
Separate multiple entries with commas.
1. All
2. IncomingMail
3. OutgoingMail
[*]> 1

Enter the number of seconds to wait before abruptly closing connections.
[30]>　30

Waiting for listeners to exit...
Receiving suspended for IncomingMail, OutgoingMail.

workqueueのメッセージがゼロになるのを確認します。

seg.example.com> workqueue

Status as of: Mon Jul 10 03:46:15 2023 GMT
Status: Operational
Messages: 0

 INSTALLオプションを選択しインストールを開始します。INSTALLオプション実行後の表示事項はバージョンにより異なる場合がありますので、実際に表示されている内容を確認しながら進んでいきます。

seg.example.com> upgrade

Are you sure you want to proceed with upgrade? [N]> y


Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- INSTALL - AsyncOS 14.2.2 build 004 upgrade For Email, 2023-02-16,This
release is a Maintenance Deployment (needs reboot).
- DELETE - Delete downloaded image(AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment).
[]> install

Current downloaded version is AsyncOS 14.2.2 build 004 upgrade For Email,
2023-02-16,This release is a Maintenance Deployment.
Do you want to install it ? [Y]> y

Would you like to save the current configuration to the configuration directory
before upgrading? [Y]> y

Would you like to email the current configuration before upgrading? [N]> n

Choose the password option:
1. Mask passwords (Files with masked passwords cannot be loaded using
loadconfig command)
2. Encrypt passwords
[1]> 2

From AsyncOS 13.0 onwards, the Next Generation portal of your appliance by
default uses AsyncOS API HTTP/HTTPS ports (6080/6443) and trailblazer HTTPS
port (4431). You can configure the HTTPS (4431) port using the
trailblazerconfig command in the CLI. Make sure that the configured HTTPS port
is opened on the firewall and ensure that your DNS server can resolve the
hostname that you specified for accessing the appliance.
Performing an upgrade may require a reboot of the system after the upgrade is
applied. You can log in to your appliance after the upgrade is done.
Do you want to proceed with the upgrade? [Y]> y

Preserving configuration ...
Finished preserving configuration
Cisco IronPort Email Security Appliance(tm) Upgrade

Note: The custom CA certificates that are expired or have an issue with basic constraints extension and CA setting are deleted after upgrade.

Finding partitions... done. 
Setting next boot partition to current partition as a precaution... done. 
Erasing new boot partition... done. 
Extracting eapp done. 
Extracting scanerroot done. 
Extracting splunkroot done. 
Extracting savroot done. 
Extracting ipasroot done. 
Extracting ecroot done. 
Removing unwanted files in nextroot done. 
Extracting distroot done. 
Removing unwanted files in nextroot done. 
Taking backup of the pre upgrade libs and bins
Configuring AsyncOS disk partitions... done. 
Configuring AsyncOS user passwords... done. 
Configuring AsyncOS network interfaces... done. 
Configuring AsyncOS timezone... done. 
Moving new directories across partitions... done. 
Syncing... done. 
Reinstalling boot blocks... done. 
Will now boot off new boot partition... done.

Upgrade complete. It will be in effect after this mandatory reboot.

Reboot takes about 20 minutes to complete. Do not interrupt power to the
appliance during this time.
Enter the number of seconds to wait before forcibly closing connections.
[30]> 30

System rebooting. Please wait while the queue is being closed...

Closing CLI connection.
Rebooting the system...

  最後に機器が再起動されてアップグレードが完了です。再起動は20分程度かかることがあります。

アップグレードの完了確認

再起動後に目的のバージョンになっていることを確認します。

seg.example.com> version

Current Version
===============
Product: Cisco C100V Secure Email Gateway Virtual
Model: C100V
Version: 14.2.2-004

問題がなければ、メールの受信を再開します。

seg.example.com> resumelistener

Choose the listener(s) you wish to resume.
Separate multiple entries with commas.
1. All
2. IncomingMail
3. OutgoingMail
[*]> 1

Receiving resumed for IncomingMail, OutgoingMail.

参考情報

エンドユーザ ガイド

リリース ノート

AsyncOS アップグレードを行う際の注意

Upgrade Email Security Appliance (ESA) with GUI or CLI

Upgrade Process for Secure Email Gateway