Upgrading Wallarm node with All-in-One Installer¶
These instructions describe the steps to upgrade the Wallarm node 4.x installed using all-in-one installer to version 4.10.
Requirements¶
-
Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud.
-
Access to
https://meganode.wallarm.comto download all-in-one Wallarm installer. Ensure the access is not blocked by a firewall. -
Access to
https://us1.api.wallarm.comfor working with US Wallarm Cloud or tohttps://api.wallarm.comfor working with EU Wallarm Cloud. If access can be configured only via the proxy server, then use the instructions. -
Executing all commands as a superuser (e.g.
root).
Upgrade procedure¶
The upgrade procedure differs depending on how filtering node and postanalytics modules are installed:
-
On the same server: modules are upgraded altogether
-
On different servers: first upgrade the postanalytics module and then the filtering module
Filtering node and postanalytics on the same server¶
Use the procedure below to upgrade altogether the filtering node and postanalytics modules installed using all-in-one installer on the same server.
Step 1: Prepare Wallarm token¶
To upgrade node, you will need a Wallarm token of one of the types. To prepare a token:
Step 2: Download newest version of all-in-one Wallarm installer¶
Wallarm suggests all-in-one installations for the following processors:
-
x86_64
-
ARM64 (beta)
To download all-in-one Wallarm installation script, execute the command:
Step 3: Run all-in-one Wallarm installer¶
Run the downloaded script:
-
<GROUP>sets a group name into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI). Only applied if using an API token. -
<TOKEN>is the copied token value. -
<CLOUD>is the Wallarm Cloud to register the new node in. Can be eitherUSorEU.
Step 4: Restart NGINX¶
Restart NGINX using the following command:
Step 5: Test Wallarm node operation¶
To test the new node operation:
-
Send the request with test Path Traversal attack to a protected resource address:
-
Open the Wallarm Console → Attacks section in the US Cloud or EU Cloud and ensure attacks are displayed in the list.
-
As soon as your Cloud stored data (rules, IP lists) is synchronized to the new node, perform some test attacks to make sure your rules work as expected.
Filtering node and postanalytics on different servers¶
Sequence of steps to upgrade the filtering node and postanalytics modules
If the filtering node and postanalytics modules are installed on different servers, then it is required to upgrade the postanalytics packages before updating the filtering node packages.
Step 1: Prepare Wallarm token¶
To upgrade node, you will need a Wallarm token of one of the types. To prepare a token:
Step 2: Download newest version of all-in-one Wallarm installer to postanalytics machine¶
This step is performed on the postanalytics machine.
Wallarm suggests all-in-one installations for the following processors:
-
x86_64
-
ARM64 (beta)
To download all-in-one Wallarm installation script, execute the command:
Step 3: Run all-in-one Wallarm installer to upgrade postanalytics¶
This step is performed on the postanalytics machine.
# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.5.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f postanalytics
# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.5.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f postanalytics
-
<GROUP>sets a group name into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI). Only applied if using an API token. -
<TOKEN>is the copied token value. -
<CLOUD>is the Wallarm Cloud to register the new node in. Can be eitherUSorEU.
Step 4: Download newest version of all-in-one Wallarm installer to filtering node machine¶
This step is performed on the filtering node machine.
Wallarm suggests all-in-one installations for the following processors:
-
x86_64
-
ARM64 (beta)
To download all-in-one Wallarm installation script, execute the command:
Step 5: Run all-in-one Wallarm installer to upgrade filtering node¶
This step is performed on the filtering node machine.
# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.5.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f filtering
# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.5.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f filtering
-
<GROUP>sets a group name into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI). Only applied if using an API token. -
<TOKEN>is the copied token value. -
<CLOUD>is the Wallarm Cloud to register the new node in. Can be eitherUSorEU.
Step 6: Check the filtering node and separate postanalytics modules interaction¶
To check the NGINX‑Wallarm and separate postanalytics modules interaction, you can send the request with test attack to the address of the protected application:
If the NGINX‑Wallarm and separate postanalytics modules are configured properly, the attack will be uploaded to the Wallarm Cloud and displayed in the Attacks section of Wallarm Console:
If the attack was not uploaded to the Cloud, please check that there are no errors in the services operation:
-
Analyze the postanalytics module logs
If there is the record like
SystemError binary: failed to bind: Cannot assign requested address, make sure that the server accepts connection on specified address and port. -
On the server with the NGINX‑Wallarm module, analyze the NGINX logs:
If there is the record like
[error] wallarm: <address> connect() failed, make sure that the address of separate postanalytics module is specified correctly in the NGINX‑Wallarm module configuration files and separate postanalytics server accepts connection on specified address and port. -
On the server with the NGINX‑Wallarm module, get the statistics on processed requests using the command below and make sure that the value of
tnt_errorsis 0Description of all parameters returned by the statistics service →