Upgrade SGOS on AWS

Products

ProxySG Software - SGOS

Issue/Introduction

Before upgrading your Edge SWG (formerly ProxySG) virtual appliance (VA) on AWS, review the following information.

Resolution

Upgrade Instructions

The following table outlines the pros and cons for the two upgrade methods.

Method	Pros	Cons
Load/Upgrade	Maintain the current state (such as policy, settings, and so on) of your Edge SWG VA. Use the existing instance. Use builds from Symantec’s software download portal.	If your VA is servicing traffic in production, traffic will be disrupted.
Create/Destroy	Test software you are considering upgrading to without interrupting traffic going to the Edge SWG instance you’re currently using. Get the latest version of the AMI from the AWS Marketplace listing. Update/change the license/serial number of the VA.	It may be necessary to update networking constructs (such as AWS route tables) to forward traffic to the new instance. You will have two instances running for a short duration until you cut traffic to the new instance.

If you are upgrading to a version of SGOS that changes the major version (for example, upgrading from 6.7.5.x to 7.3.x), use the Create/Destroy method.

All initial or new deployments should be created using the latest AMI from the AWS Marketplace listing. Using the latest AMI ensures that your VA is running on a supported instance type and has the correct networking enabled (SR-IOV). For upgrades after the initial deployment, you can download a build from the Broadcom Support portal.

Note: If you did not originally download the Edge SWG VA from AWS Marketplace, you should use the Create/Destroy method to upgrade.

Load/Upgrade Method

The Load/Upgrade method is the same method used to upgrade physical Edge SWG appliances. This method is also applicable to Edge SWG VAs running on AWS. After performing this method and confirming the upgrade was successful, delete the version of SGOS from the installed system images. Deleting the previous version will prevent any unintentional downgrade in case of boot failures.

To perform the Load/Upgrade method:

Download the BCSI from the Broadcom Support portal.
Note: For initial or new deployments, launch the AMI from the AWS Marketplace.

In the CLI, load the BCSI onto the VA:

# (config) upgrade-path "http://xxx.xxx.xxx.xxx/path/to/file.bcsi"

Load the upgrade:
```
# load upgrade
```
Restart the VA:
```
# restart upgrade
```

Delete the previous build:

# (config)installed-systems
# (config installed-systems)delete 2

For more information, see the following KB article: Upgrade or Downgrade Edge SWG (ProxySG) or Advanced Secure Gateway using the Command Line Interface

Create/Destroy Method

In this method, you create a new Edge SWG instance and load your configuration and policy into it. To upgrade using this method:

In AWS, create a new Edge SWG instance that is running the version of SGOS you want to upgrade to.
Log in to the instance and complete the initial configuration, serial, and licensing information.
Export the configuration from the Edge SWG instance that you want to upgrade and import it into your new Edge SWG instance. See the following KB articles:
- Export via CLI: Back up the configuration via the CLI using an SSH client for Edge SWG or Advanced Secure Gateway
- Export via Management Console: Back up and restore the configuration of Edge SWG (ProxySG) or Advanced Secure Gateway appliances
Update the necessary databases (such as BCIS) for your instance.
Confirm that your new instance is configured and has the correct policy.
Route client traffic to your new instance.
Destroy your old instance.