Prisma Access Agent
Staged Rollouts of Prisma Access Agents
Table of Contents
Staged Rollouts of Prisma Access Agents
Use staged rollouts to upgrade Prisma Access Agents after the initial
deployment of the agents.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can stagger the upgrade of Prisma Access Agents using a maintenance routine
called a staged rollout. Staged rollouts enable you to upgrade Prisma Access Agents sequentially on your end users' devices. Using staged rollouts, you can plan the Prisma Access Agent upgrades based on users, user groups, or operating
systems.
Staged rollouts can occur only after the initial deployment
initial deployment or installation of the Prisma Access Agent on your end users' devices.
You can stage the rollout of Prisma Access Agent upgrades by configuring upgrade rings, which consist of batches of end
users' devices that you want to upgrade in a specific order.
You can define up to five upgrade rings containing devices that match the criteria that
you set up. For each ring, you can define up to three matching criteria using these
attributes: username, user group, or operating system. The devices that meet the ring
criteria will be upgraded according to the order of the rings.
As a best practice, set up Ring 0 to limit the
upgrade to a small group of users to ensure that no issues exist before rolling out the
agent upgrades to the rest of your organization.
For example, you can define:
- Ring 0 to include a group of admin users
- Ring 1 to include all macOS users in North America
- Ring 2 to include all Windows users in North America
- Ring 3 to include all macOS users in Europe
- Ring 4 to include all Windows users in Europe
A default ring is available for those devices that missed their assigned rings. The
default ring is not configurable. If you modify the criteria for the other rings after
the staged rollout has begun, the changes will take effect in subsequent upgrade
rollouts.
What Happens During an Upgrade Rollout
You can start the Prisma Access Agent upgrade process by clicking
Start from in Strata Cloud Manager. When the upgrade rollout begins, the end
users' devices will be upgraded according to the order of the rings they belong to.
Any devices that are offline or not reachable during the staged rollout are placed
in the default ring. Likewise, any new devices that connect to Prisma Access
after the stage rollout has completed, are placed in the default ring. After Rings 0
to 4 have been upgraded, the devices in the default ring will get upgraded in the
order of their assigned rings.
When a ring is active, the agent is upgraded on any device that belongs to the ring,
provided that the device has basic local network connectivity, can connect to the
service that manages the agents, and can authenticate with the Endpoint Manager.
Each ring will be active for 72 hours, after which the next ring will begin.
Devices that are in a disconnected state (with no tunnel connection established) can
be upgraded. Devices that are offline (not connected to the service that manages
agents) cannot be upgraded. When a device comes back online and if the rollout is
still active for the ring that the device belongs to, that device will be upgraded
as part of the ring. If the ring is no longer active, the device will be upgraded as
part of the default ring. This upgrade behavior applies to quarantined devices as
well.
The following table shows the duration for each stage of the ring upgrade cycle:
| Stage | Duration |
|---|---|
|
Agent rollout notification period
You are notified of the upcoming upgrade after clicking
Start. The upgrade begins
automatically at the end of the notification period.
| 5 minutes |
|
Active period for each ring
The runtime for each upgrade ring (Rings 0 to 4 and default
ring). Devices that missed the stage rollout are upgraded as
part of the default ring.
| 72 hours per ring |
If a failure occurs during a ring upgrade, you can stop the staged rollout to troubleshoot and resolve any issues before
starting the rollout again.