Skip to content

Upgrading Wallarm node with All-in-One Installer

These instructions describe the steps to upgrade the Wallarm node 4.x installed using all-in-one installer to version 4.10.

Requirements

  • Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud.

  • Access to https://meganode.wallarm.com to download all-in-one Wallarm installer. Ensure the access is not blocked by a firewall.

  • Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud. If access can be configured only via the proxy server, then use the instructions.

  • Executing all commands as a superuser (e.g. root).

Upgrade procedure

The upgrade procedure differs depending on how filtering node and postanalytics modules are installed:

Filtering node and postanalytics on the same server

Use the procedure below to upgrade altogether the filtering node and postanalytics modules installed using all-in-one installer on the same server.

Step 1: Prepare Wallarm token

To upgrade node, you will need a Wallarm token of one of the types. To prepare a token:

  1. Open Wallarm Console → SettingsAPI tokens in the US Cloud or EU Cloud.
  2. Find or create API token with the Deploy source role.
  3. Copy this token.

For upgrade, use the same node token that was used for installation:

  1. Open Wallarm Console → Nodes in the US Cloud or EU Cloud.
  2. In your existing node group, copy token using node's menu → Copy token.

Step 2: Download newest version of all-in-one Wallarm installer

Wallarm suggests all-in-one installations for the following processors:

  • x86_64

  • ARM64 (beta)

To download all-in-one Wallarm installation script, execute the command:

curl -O https://meganode.wallarm.com/4.10/wallarm-4.10.1.x86_64-glibc.sh
curl -O https://meganode.wallarm.com/4.10/wallarm-4.10.1.aarch64-glibc.sh

Step 3: Run all-in-one Wallarm installer

Run the downloaded script:

# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.1.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f

# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.1.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f
# If using the x86_64 version:
sudo sh wallarm-4.10.1.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f

# If using the ARM64 version:
sudo sh wallarm-4.10.1.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f
  • <GROUP> sets a group name into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI). Only applied if using an API token.

  • <TOKEN> is the copied token value.

  • <CLOUD> is the Wallarm Cloud to register the new node in. Can be either US or EU.

Step 4: Restart NGINX

Restart NGINX using the following command:

sudo systemctl restart nginx

Step 5: Test Wallarm node operation

To test the new node operation:

  1. Send the request with test Path Traversal attack to a protected resource address:

    curl http://localhost/etc/passwd
    
  2. Open the Wallarm Console → Attacks section in the US Cloud or EU Cloud and ensure attacks are displayed in the list.

  3. As soon as your Cloud stored data (rules, IP lists) is synchronized to the new node, perform some test attacks to make sure your rules work as expected.

Filtering node and postanalytics on different servers

Sequence of steps to upgrade the filtering node and postanalytics modules

If the filtering node and postanalytics modules are installed on different servers, then it is required to upgrade the postanalytics packages before updating the filtering node packages.

Step 1: Prepare Wallarm token

To upgrade node, you will need a Wallarm token of one of the types. To prepare a token:

  1. Open Wallarm Console → SettingsAPI tokens in the US Cloud or EU Cloud.
  2. Find or create API token with the Deploy source role.
  3. Copy this token.

For upgrade, use the same node token that was used for installation:

  1. Open Wallarm Console → Nodes in the US Cloud or EU Cloud.
  2. In your existing node group, copy token using node's menu → Copy token.

Step 2: Download newest version of all-in-one Wallarm installer to postanalytics machine

This step is performed on the postanalytics machine.

Wallarm suggests all-in-one installations for the following processors:

  • x86_64

  • ARM64 (beta)

To download all-in-one Wallarm installation script, execute the command:

curl -O https://meganode.wallarm.com/4.10/wallarm-4.10.1.x86_64-glibc.sh
curl -O https://meganode.wallarm.com/4.10/wallarm-4.10.1.aarch64-glibc.sh

Step 3: Run all-in-one Wallarm installer to upgrade postanalytics

This step is performed on the postanalytics machine.

# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.1.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f postanalytics

# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.1.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f postanalytics
# If using the x86_64 version:
sudo sh wallarm-4.10.1.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f postanalytics

# If using the ARM64 version:
sudo sh wallarm-4.10.1.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f postanalytics
  • <GROUP> sets a group name into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI). Only applied if using an API token.

  • <TOKEN> is the copied token value.

  • <CLOUD> is the Wallarm Cloud to register the new node in. Can be either US or EU.

Step 4: Download newest version of all-in-one Wallarm installer to filtering node machine

This step is performed on the filtering node machine.

Wallarm suggests all-in-one installations for the following processors:

  • x86_64

  • ARM64 (beta)

To download all-in-one Wallarm installation script, execute the command:

curl -O https://meganode.wallarm.com/4.10/wallarm-4.10.1.x86_64-glibc.sh
curl -O https://meganode.wallarm.com/4.10/wallarm-4.10.1.aarch64-glibc.sh

Step 5: Run all-in-one Wallarm installer to upgrade filtering node

This step is performed on the filtering node machine.

# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.1.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f filtering

# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-4.10.1.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f filtering
# If using the x86_64 version:
sudo sh wallarm-4.10.1.x86_64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f filtering

# If using the ARM64 version:
sudo sh wallarm-4.10.1.aarch64-glibc.sh -- --batch -t <TOKEN> -c <CLOUD> -f filtering
  • <GROUP> sets a group name into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI). Only applied if using an API token.

  • <TOKEN> is the copied token value.

  • <CLOUD> is the Wallarm Cloud to register the new node in. Can be either US or EU.

Step 6: Check the filtering node and separate postanalytics modules interaction

To check the NGINX‑Wallarm and separate postanalytics modules interaction, you can send the request with test attack to the address of the protected application:

curl http://localhost/etc/passwd

If the NGINX‑Wallarm and separate postanalytics modules are configured properly, the attack will be uploaded to the Wallarm Cloud and displayed in the Attacks section of Wallarm Console:

Attacks in the interface

If the attack was not uploaded to the Cloud, please check that there are no errors in the services operation:

  • Analyze the postanalytics module logs

    sudo cat /opt/wallarm/var/log/wallarm/tarantool-out.log
    

    If there is the record like SystemError binary: failed to bind: Cannot assign requested address, make sure that the server accepts connection on specified address and port.

  • On the server with the NGINX‑Wallarm module, analyze the NGINX logs:

    sudo cat /var/log/nginx/error.log
    

    If there is the record like [error] wallarm: <address> connect() failed, make sure that the address of separate postanalytics module is specified correctly in the NGINX‑Wallarm module configuration files and separate postanalytics server accepts connection on specified address and port.

  • On the server with the NGINX‑Wallarm module, get the statistics on processed requests using the command below and make sure that the value of tnt_errors is 0

    curl http://127.0.0.8/wallarm-status
    

    Description of all parameters returned by the statistics service →