Before you can update the Threat Grid Appliance with newer versions, you must have
completed the initial setup and configuration steps as described in the Cisco Threat Grid Appliance Getting Started Guide.
If you have a new Threat Grid Appliance that shipped with an older version of
software and want to install updates, you must first complete the initial
configuration. Updates will not download unless the license is installed, and may
not apply correctly if the Threat Grid Appliance has not been fully configured,
including the database.
The following considerations should be observed when installing updates:
Threat Grid Appliance updates are applied through the Admin UI.
If the update server sends an update, the client moves all the way forward to
that version. It's not always possible to skip interim releases; when not
possible, the update server will require the appliance to install the release
before it can download the next update.
If the server allows you to download a version, you are eligible to move to that
version directly; that is, with no intervening reboots beyond those needed for a
Updates are one-directional: you cannot revert to a previous version after you
upgrade to a more recent version.
Users with air-gapped implementations may contact Support to request a downloadable update
The Threat Grid Appliance downloads release updates over SSH, port 22.
Release updates can also be applied from the textual (curses) interface, not
just from the web-based administrative interface (Admin UI).
Systems using DHCP need to explicitly specify DNS. An upgrade of a system
without a DNS server explicitly specified will fail.
Database Schema Updates
Historically, on standalone appliances, database migrations associated with updates
occurred while the system was offline in single-user mode, except in a cluster,
where the updates occurred after the first upgraded node came back online. (The
exception to this was for unusually long updates that could be run in the
background, which were handled on a case-by-case basis.)
Threat Grid Appliance (v2.5.0 and later) updates the database schema after the system
finishes reboot, which may cause the boot process to take slightly longer. (Very
long reboots continue to be handled on a case-by-case basis.)
In prior releases, non-clustered systems with backup support enabled would make a
best-effort attempt to operate correctly when their NFS server was down. Due to
changes in ElasticSearch functionality, we can no longer guarantee this behavior.
Background Elasticsearch index migration to ES6-native indexes is enabled in v2.7.2
and later. This migration must successfully complete before any version of the
Threat Grid Appliance which requires Elasticsearch 7.0 or newer is installed.
Elasticsearch index migration may cause substantial delays in the NFS backup
process, causing related warnings. These warnings should be disregarded, as
service notices indicate that index migration is actively ongoing. You should
only raise a ticket with Support if the index migration process fails to make
progress over an extended period.