はじめに
本稿ではSMA (Secure Email and Web Manager)をCLIIからアップグレードする方法をご紹介します。AsyncOS 13.8の動作を基に執筆しています。SMAのバージョンによっては動作が異なる場合があります。
また、ここで紹介しているのはアップグレードの一例です。それぞれのお客様の要件に合わせて、ここに記載されている以外の手順で実施することができるケースもあります。
設定のバックアップ
まず、saveconfigコマンドで機器に設定を保存します。
注: 設定ファイルのパスフレーズをマスクすると、その設定ファイルでリストアを行うことができなくなります。リストア目的の設定ファイルを取得する場合は、パスフレーズの「マスク(Mask)」ではなく、「暗号化(Encrypt)」したファイルを取得します。
sma.example.com> saveconfig
Choose the passphrase option:
1. Mask passphrases (Files with masked passphrases cannot be loaded using
loadconfig command)
2. Encrypt passphrases
[1]> 2
The file M100V-XXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYY-20230721T000000.xml has been
saved in the configuration directory on machine "sma.example.com".
設定ファイルはSMAの configuration ディレクトリに保存されます。保存されたファイルをFTPやSCPでローカルにダウンロードすることが可能です。ここでは例としてSCPでダウンロードします。
% scp -O user@192.168.1.1:configuration/M100V-XXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYY-20230721T000000.xml ~/Downloads/
(user@192.168.1.1) Password: xxxxxxx
M100V-XXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYY-20230721T000000.xml 100% 438KB 22.1MB/s 00:00
Safelists/Blocklistsの機能を利用している場合は、そちらもバックアップしておきます。
ESA Safelists/Blocklists Backup Procedure
イメージのダウンロード
本稿ではDOWNLOADオプションを選択して、イメージをあらかじめダウンロードしておき、実際のアップグレードは後ほど実施することとします。ダウンロードとインストールを続けて進める場合は、DOWNLOADINSTALLオプションを選択することも可能です。
sma.example.com> upgrade
Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
[]> download
Upgrades available.
1. AsyncOS 13.8.1 build 110 upgrade For Management, 2023-06-11 is a release
available as Maintenance Deployment.
2. AsyncOS 14.2.0 build 224 upgrade For Management, 2022-12-12 is a release
available as Maintenance Deployment.
[2]> 2
Download of AsyncOS 14.2.0 build 224 upgrade For Management, 2022-12-12 is a
release available as Maintenance Deployment. has started in background.
ダウンロードの進捗確認
ダウンロードの状況は、DOWNLOADSTATUSオプションで確認することができます。
sma.example.com> upgrade
Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- DOWNLOADSTATUS - Shows the download status
- CANCELDOWNLOAD - Cancel ongoing download(AsyncOS 14.2.0 build 224 upgrade For
Management, 2022-12-12 is a release available as Maintenance Deployment.).
[]> downloadstatus
Download of upgrade image (AsyncOS 14.2.0 build 224 upgrade For Management,
2022-12-12 is a release available as Maintenance Deployment.) is in progress
(56% complete).
アップグレードが完了するとINSTALLオプションが表示されます。
sma.example.com> upgrade
Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- INSTALL - AsyncOS 14.2.0 build 224 upgrade For Management, 2022-12-12 is a
release available as Maintenance Deployment. (needs reboot).
- DELETE - Delete downloaded image(AsyncOS 14.2.0 build 224 upgrade For
Management, 2022-12-12 is a release available as Maintenance Deployment.).
イメージのインストール
スパム隔離やポリシー隔離を利用している場合は、 メッセージの受信を一時的に停止します。
sma.example.com> suspendlistener
Choose the listener(s) you wish to suspend.
Separate multiple entries with commas.
1. All
2. cpq_listener
3. euq_listener
[*]> 1
Enter the number of seconds to wait before abruptly closing connections.
[30]> 30
Waiting for listeners to exit...
Receiving suspended for cpq_listener, euq_listener.
インストールをINSTALLオプションを選択して開始します。INSTALLオプション実行後の表示事項はバージョンにより異なる場合がありますので、実際に表示されている内容を確認しながら進んでいきます。
sma.example.com> upgrade
Choose the operation you want to perform:
- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
- INSTALL - AsyncOS 14.2.0 build 224 upgrade For Management, 2022-12-12 is a
release available as Maintenance Deployment. (needs reboot).
- DELETE - Delete downloaded image(AsyncOS 14.2.0 build 224 upgrade For
Management, 2022-12-12 is a release available as Maintenance Deployment.).
[]> install
Current downloaded version is AsyncOS 14.2.0 build 224 upgrade For Management,
2022-12-12 is a release available as Maintenance Deployment..
Do you want to install it ? [Y]> y
Would you like to save the current configuration to the configuration directory
before upgrading? [Y]> y
Would you like to email the current configuration before upgrading? [N]> n
Choose the password option:
1. Mask passwords (Files with masked passwords cannot be loaded using
loadconfig command)
2. Encrypt passwords
[1]> 2
After you upgrade to AsyncOS 11.0 or later, the appliance generates a unique
certificate. The existing demo certificate is replaced with the new
certificate. However this does not apply for AsynOS 11.4.If it fails to
generate the unique certificate,the demo certificate will be used.
Since version 12.0, the Next Generation portal of your appliance by default
uses AsyncOS API HTTP/HTTPS ports (6080/6443) and trailblazer HTTPS port
(4431). You can configure the HTTPS (4431) port using the trailblazerconfig
command in the CLI. Make sure that the configured HTTPS port is opened on the
firewall and ensure that your DNS server can resolve the hostname that you
specified for accessing the appliance.
Performing an upgrade may require a reboot of the system after the upgrade is
applied. You may log in again after this is done.
Do you wish to proceed with the upgrade? [Y]> y
Removed lock
Preserving configuration ...
Finished preserving configuration
Cisco Security Management(tm) Appliance Upgrade
The old system CA certificate bundle is moved to the following directory path - /data/pub/systemca.old/
Do you want to append the current system CA certificate bundle to the custom CA certificate bundle? [Y]> y
Finding partitions... done.
Setting next boot partition to current partition as a precaution... done.
Erasing new boot partition... done.
Erasing new boot partition... done.
Extracting scanerroot done.
Extracting splunkroot done.
Extracting distroot done.
Taking backup of the pre upgrade libs and bins
Configuring AsyncOS disk partitions... done.
Configuring AsyncOS user passwords... done.
Configuring AsyncOS network interfaces... done.
Configuring AsyncOS timezone... done.
Moving new directories across partitions... done.
Syncing... done.
da0 done.
Will now boot off new boot partition... done.
Note: The custom CA certificates that are expired or have an issue with basic constraints extension and CA setting are deleted after upgrade.
Upgrade complete. It will be in effect after this mandatory reboot.
After you upgrade to AsyncOS 11.5 or later, the appliance generates a unique certificate. The existing demo certificate is replaced with the new certificate. If it fails to generate the unique certificate, the demo certificate will be used.After you upgrade to AsyncOS 13.8 and later, TLS v1.0 is disabled by default. It can be enabled if neccessaryAfter an upgrade, the appliance disables HTTP for spam quarantine if HTTPS is already enabled.
Reboot takes about 20 minutes to complete. Do not interrupt power to the
appliance during this time.
Enter the number of seconds to wait before forcibly closing connections.
[30]> 30
System rebooting. Please wait while the queue is being closed...
Closing CLI connection.
Rebooting the system...
最後に機器が再起動されてアップグレードが完了です。再起動は20分程度かかることがあります。
アップグレードの完了確認
再起動後に目的のバージョンになっていることを確認します。
sma.example.com> version
Current Version
===============
Product: Cisco M100V Content Security Virtual Management Appliance
Model: M100V
Version: 14.2.0-224
先にリスナーを停止した場合には再開します。
sma.example.com> resumelistener
Choose the listener(s) you wish to resume.
Separate multiple entries with commas.
1. All
2. cpq_listener
3. euq_listener
[*]> 1
Receiving resumed for cpq_listener, euq_listener.
参考情報
エンドユーザ ガイド
リリース ノート
AsyncOS アップグレードを行う際の注意
