Skip to content

Upgrading Wallarm Native Node with All-in-One Installer

These instructions describe the steps to upgrade the Native Node installed using all-in-one installer.

View all-in-one installer releases

Requirements

  • Linux OS.

  • x86_64/ARM64 architecture.

  • Executing all commands as a superuser (e.g. root).

  • Outbound access to:

    • https://meganode.wallarm.com to download the Wallarm installer
    • https://us1.api.wallarm.com or https://api.wallarm.com for US/EU Wallarm Cloud

    • IP addresses and their corresponding hostnames (if any) listed below. This is needed for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

      node-data0.us1.wallarm.com - 34.96.64.17
node-data1.us1.wallarm.com - 34.110.183.149
us1.api.wallarm.com - 35.235.66.155
34.102.90.100
34.94.156.115
35.235.115.105

      node-data1.eu1.wallarm.com - 34.160.38.183
node-data0.eu1.wallarm.com - 34.144.227.90
api.wallarm.com - 34.90.110.226

  • In addition to the above, you should have the Administrator role assigned in Wallarm Console.

1. Download the new installer version

Download the latest installer version on the machine where your current Native Node is running:

curl -O https://meganode.wallarm.com/native/aio-native-0.13.7.x86_64.sh
chmod +x aio-native-0.13.7.x86_64.sh

curl -O https://meganode.wallarm.com/native/aio-native-0.13.7.aarch64.sh
chmod +x aio-native-0.13.7.aarch64.sh

2. Run the new installer

Run the new installer as shown below. It will stop the currently running Wallarm services and then automatically start the services of the new version.

You can reuse the previously generated API token for the Deploy role and the node group name.

For the configuration file, you can reuse the one used during the initial installation. Only add new parameters or modify existing ones if necessary - see the supported configuration options.

The connector-server mode is used when you deployed the self-hosted node with MuleSoft Mule Gateway, CloudFront, Cloudflare, Broadcom Layer7 API Gateway, Fastly, IBM DataPower connector.

If upgrading from Node version 0.12.x or lower

If upgrading from Node version 0.12.x or lower, ensure that the version value is updated in the initial configuration file (wallarm-node-conf.yaml, as per the default installation instructions) and that the section tarantool_exporter is renamed to postanalytics_exporter (if explicitly specified):

-version: 2
+version: 4

-tarantool_exporter:
+postanalytics_exporter:
  address: 127.0.0.1:3313
  enabled: true

For the x86_64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.x86_64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com --preserve false

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.x86_64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com --preserve false

For the ARM64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.aarch64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com --preserve false

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.aarch64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com --preserve false

The tcp-capture mode is used when you deployed the self-hosted node for TCP traffic analysis.

If upgrading from Node version 0.12.1 or lower

If upgrading from the Node version 0.12.0 or lower, ensure that the version value is updated in the initial configuration file (wallarm-node-conf.yaml, as per the default installation instructions) and that parameters previously set in the middleware section are moved to the goreplay section:

-version: 2
+version: 4

-middleware:
+goreplay:
  parse_responses: true
  response_timeout: 5s
  url_normalize: true

The upgrade command for the x86_64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.x86_64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com --preserve false

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.x86_64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com --preserve false

The upgrade command for the ARM64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.aarch64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com --preserve false

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.aarch64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com --preserve false

The envoy-external-filter mode is used for gRPC-based external processing filter for APIs managed by Istio.

The upgrade command for the x86_64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.x86_64.sh -- --batch --token <API_TOKEN> --mode=envoy-external-filter --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com --preserve false

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.x86_64.sh -- --batch --token <API_TOKEN> --mode=envoy-external-filter --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com --preserve false

The upgrade command for the ARM64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.aarch64.sh -- --batch --token <API_TOKEN> --mode=envoy-external-filter --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com --preserve false

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.13.7.aarch64.sh -- --batch --token <API_TOKEN> --mode=envoy-external-filter --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com --preserve false

  • The WALLARM_LABELS variable sets group into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI).

  • <API_TOKEN> specifies the generated API token for the Deploy role.

  • <PATH_TO_CONFIG> specifies the path to the configuration file.

Your current /opt/wallarm/etc/wallarm/go-node.yaml, /opt/wallarm/etc/wallarm/node.yaml and log files will be backed up to the directory /opt/wallarm/aio-backups/<timestamp>.

3. Verify the upgrade

To verify that the node is functioning correctly:

  1. Check the logs for any errors:

    • Logs are written to /opt/wallarm/var/log/wallarm/go-node.log by default. You can read them there.
    • Standard logs of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory /opt/wallarm/var/log/wallarm.

  2. Send the request with test Path Traversal attack to a protected resource address:

    curl http://localhost/etc/passwd

    If traffic is configured to be proxied to example.com, include the -H "Host: example.com" header in the request.

  3. Verify that the upgraded node operates as expected compared to the previous version.

If you encounter a problem

If there is a problem with the upgrade or reinstallation process:

  1. Remove the current installation:

    sudo systemctl stop wallarm && sudo rm -rf /opt/wallarm

  2. Reinstall the node as usual for TCP traffic analysis or the MuleSoft Mule Gateway, CloudFront, Cloudflare, Broadcom Layer7 API Gateway, Fastly or IBM DataPower connectors.

    Or follow the upgrade procedure described above.