Versions Compared

Old Version 6

changes.mady.by.user Panna .

Saved on

compared with

New Version Current

changes.mady.by.user Panna .

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section helps you learn more about the general upgrade guidelines before upgrading NIOS versions.

Upgrading to NIOS 9.0.5 Guidelines

Read the following guidelines before upgrading to NIOS 9.0.5:

  • NIOS 9.0.5 is on an average 178% larger than NIOS 8.6 and 67% larger than earlier NIOS 9.0.x versions because of the new features/enhancements (such as Threat Insight). Uploading the .bin file may take a while and if you have set a default session timeout, the session can expire when the upload is taking place in the background. Infoblox recommends that you change the default session timeout setting from 600 seconds to

...

  • 1800 seconds.  You can update the setting in the Security tab > Session Timeout(s) field.

  • In NIOS 9.0.5, upgrade fails if the listen-on, notify-source, and query-source options are configured with port 53 for both IPv4 and IPv6 addresses.

  • Accelerated networking can be enabled for NIOS members in Microsoft Azure from version 9.0.5 onwards. This resolves an issue where accelerated networks had to be disabled on NIOS members in Microsoft Azure before upgrading to NIOS 9.0.0, 9.0.1, 9.0.2, 9.0.3, or 9.0.4.

  • There will be an impact on the CPU and DNS performance when Threat Insight is enabled. 

  • You can only run Threat Insight when a minimum disk size of 250 GB is set on the Grid member; the size includes upgrading with Threat Insight enabled on the member. Failing to do so may result in functionality issues.

  • If you have used the ZSK or KSK algorithm key size 640 (which is invalid in BIND 9.16), the upgrade may fail.

  • If the length of the DH key is lower than 1024, upgrade will fail.

Upgrading to NIOS 9.0.4 Guidelines

...

  • From NIOS 9.0.4 onwards, the CPUID hypervisor bit (CPUID(1)ECX:31 must be enabled for VM guests. It is the default for all VM hypervisors, but can be disabled in some hosting configurations.  Do not disable it.

  • Splunk does not support TLS version 1.3 and therefore NIOS reporting will not work if you disable all other TLS versions and enable only TLS version 1.3. A warning to this effect is displayed if you enable only TLS version 1.3.

  • Accelerated networking must be disabled in Microsoft Azure for NIOS members before upgrading to 9.0.0, 9.0.1, 9.0.2, 9.0,3 or 9.0.4 as it may cause the member to not rejoin the Grid after upgrading. The VM or, if applicable, all VMs within the availability set may need to be stopped or deallocated before accelerated networking is disabled. This issue does not affect NISO 9.0.5 or later versions.

  • After an upgrade to NIOS 9.0.4, the Cloud Sync service starts automatically on members that have AWS and GCP vDiscovery jobs configured.

  • After an upgrade to NIOS 9.0.4, the Cloud Sync service will not start automatically on members that have VMWare, Azure, and Openstack vDiscovery jobs configured.

  • After a NIOS upgrade to 9.0.4, the time zone may fall back temporarily to the UTC time zone and certain time zone names will be mapped to different names. The following table is a list of the earlier and new time zone names:

...

  • Upgrading a NIOS 8.x Grid that is configured with Thales HSM to NIOS 9.0 is not supported. Also,
    configuring Thales HSM in a new NIOS 9.0.0 Grid is not supported.

    • Using an unsupported algorithm such as, RSAMD5(1), DSA (3), DSA-NSEC3-SHA1(6).

    • Using invalid key size for RSASHA1(5), RSA-NSEC3-SHA1(7), RSASHA256(8) (should be within range [1024 to 4096]).

    • Manually creating (through the import keyset) a DS record with an unsupported algorithm or digest type SHA-1.

    • If you are using Ubuntu and a CA certificate of key length 1024 and some unsupported ciphers, after a NIOS upgrade, services that depend on the unsupported ciphers cease to work.

    • In NIOS 9.0, the Cisco ISE endpoint (Cisco pxGrid 1.0) has been deprecated.

    • Infoblox recommends that you use a minimum size of 100 GB when using discovery resizable images. This applies even when upgrading a resizable discovery image whose size is lower than 100 GB.

    • Infoblox recommends using a minimum size of 70 GB for any of the files that has resizable as
      part of the file name and you can resize them depending on your requirement and
      deployment.

    • If you are logging on to NIOS using SSO, in IDP Configuration you must enter the following
      URL in the SP Entity ID field: <grid_virtual IP address>:8765/metadata. If you are using Okta,
      the SP Entity ID field is also called the Audience URI field.

    • The shared secret that you enter when adding a RADIUS authentication server in the Add
      RADIUS Authentication Service wizard > RADIUS Servers > Shared Secret field must be
      between 4 and 64 characters (inclusive) in length. Otherwise, the upgrade will fail.

  • Before you upgrade to NIOS 9.0.x, check the validity of the CA certificates uploaded. If the certificate is invalid, install a new certificate that is in compliance with RFCs (for example RFC 5280). Failure to do so may result in the Grid Manager UI/WAPI not being accessible after the upgrade. However, NIOS will
    continue to be functional. To check the validity of the certificate, contact Infoblox Support.

  • In NIOS 8.6 and earlier versions, BIND allowed the configuration of both the listen-on, notify-source, and query-source options on port 53 for both IPv4 and IPv6 addresses. However, starting from NIOS 9.0.x onwards, this configuration is not recommended as BIND does not support the use of the same port for both the listen-on, notify source, and query-source options to use the same port for both IPv4 and IPv6. Having this configuration can cause BIND to fail during start-up.

  • A downgrade from NIOS 9.0.x to NIOS 8.4.x is not supported. Auto-synchronization from NIOS 9.0.x to NIOS 8.4.x is not supported.

  • If there are Threat Protection members in your Grid for the 8.3 and later features (Grid Master Candidate test promotion, forwarding recursive queries to BloxOne Infoblox Threat Defense Cloud, and CAA records), ensure that you upload the latest Threat Protection ruleset for these features to function properly.

  • Infoblox recommends that you enable DNS Fault Tolerant Caching right after you upgrade to NIOS 8.2.x and later and keep this feature enabled to handle unreachable authoritative servers. Note that enabling this feature requires a DNS service restart, which will clear the current cache. Therefore, if you enable this when you are trying to mitigate an ongoing attack on an authoritative server that is outside of your control, it will clear the DNS cache, which will magnify the issues that your system is experiencing.

  • During a scheduled full upgrade to NIOS 8.1.0 and later versions, you can use only IPv4 addresses for
    NXDOMAIN redirection. You cannot use IPv6 addresses for NXDOMAIN redirection while the upgrade is in progress.

  • If you set up your Grid to use Infoblox Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). but have not enabled automatic updates for Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). module sets, you must manually upload the latest module set to your Grid or enable automatic updates before upgrading. Otherwise, your upgrade will fail.

  • After a scheduled upgrade to NIOS 8.6.3 and later is complete, you must run the
    command on the Grid Master to get the Cloud Sync (Cloud DNS Sync in 9.0.x versions prior to 9.0.4) service to be update_rabbitmq_password
    functional. Until that time, Route 53 synchronization does not start because the service has not been started.

  • After an upgrade to NIOS 8.6.3 and later, the Cloud Sync (Cloud DNS Sync in 9.0.x versions prior to 9.0.4) service starts automatically on the Grid
    member that is assigned to the Route 53 synchronization groups.

  • After an upgrade to NIOS 8.6.3 and later, the Disable Default Search Path and the Additional Search
    Paths fields will no longer be displayed in the Add Active Directory Authentication Service > Step 1 of 1
    wizard.

  • If you upgrade to NIOS 8.6.3 or later, all IB-FLEX appliances or Grids that have the FLEX Grid Activation
    license or the MSP license will have the ReportingSPLA external attribute assigned automatically for
    supported Grid members.

  • After an upgrade to NIOS 8.6.3 and later, only 5% of allowed blocklist subscribers is supported for virtual DNS Cache Acceleration (vDCA).

  • The shared secret that you enter when adding a RADIUS authentication server in the Add RADIUS
    Authentication Service wizard > RADIUS Servers > Shared Secret field must be between 4 and 64
    characters (inclusive) in length. Otherwise, the upgrade will fail.

  • If you are using threat analyticsThreat Insight (known as Threat Analytics in versions earlier than 9.0.5), you must have installed the minimum module set version (20210620) before upgrading to NIOS 8.6.1 or to NIOS 8.5.3 or later versions.