Summary
This workflow automates the upgrade process for AppGate SDP (Software Defined Perimeter) infrastructure. The solution coordinates controller and gateway upgrades across managed environments, schedules maintenance windows, performs pre-upgrade health checks, executes firmware upgrades in the correct sequence, verifies post-upgrade functionality, and supports rollback if issues are detected. By automating the upgrade process, the workflow reduces downtime, minimizes human error, ensures consistent upgrade procedures, and provides complete audit trails for compliance.
Usage
Prerequisites
Before using this workflow, ensure the following requirements are met:
-
AppGate Integration: Configure the AppGate SDP API integration in Rewst
-
PSA Integration: For ticket tracking and change management
-
Email Integration: For notifications
-
Organizational Variables:
appgate_upgrade_ticket_board: PSA board for upgrade ticketsappgate_maintenance_window_start: Default maintenance window start timeappgate_maintenance_window_end: Default maintenance window end timeappgate_auto_rollback: Enable automatic rollback on failureappgate_notification_recipients: Notification recipients
Workflow Inputs
| Parameter | Type | Required | Description |
|---|---|---|---|
company_id | String | Yes | PSA company for the upgrade |
target_version | String | Yes | Target AppGate version |
appliance_ids | Array | No | Specific appliances to upgrade (defaults to all) |
maintenance_window_start | DateTime | No | Scheduled start time |
maintenance_window_end | DateTime | No | Scheduled end time |
upgrade_controllers | Boolean | No | Upgrade controllers. Default: true |
upgrade_gateways | Boolean | No | Upgrade gateways. Default: true |
auto_rollback | Boolean | No | Rollback on failure. Default: true |
dry_run | Boolean | No | Validate without executing. Default: false |
Execution
Manual Trigger
- Execute on-demand when a new AppGate version is available
Scheduled Execution
- Schedule during designated maintenance windows
Upgrade Process Flow
- Pre-Flight Checks: Validate target version, check compatibility
- Environment Assessment: Inventory all controllers and gateways
- Health Baseline: Capture current appliance health and connectivity
- Backup Configuration: Export current configuration for rollback
- Controller Upgrade: Upgrade controllers first (one at a time for HA)
- Controller Verification: Validate controller functionality post-upgrade
- Gateway Upgrade: Upgrade gateways in rolling fashion
- Gateway Verification: Validate gateway connectivity post-upgrade
- Functional Testing: Verify VPN connectivity and policy enforcement
- Completion: Update tickets and notify stakeholders
Post-Execution Steps
- Verify user VPN connectivity through upgraded appliances
- Monitor for post-upgrade errors in AppGate logs
- Update documentation with new version information
- Close change management ticket
Returned Data
{
"success": true,
"upgrade_summary": {
"company": "Acme Corp",
"previous_version": "6.1.2",
"target_version": "6.2.0",
"start_time": "2026-03-04T02:00:00Z",
"end_time": "2026-03-04T03:45:00Z",
"duration_minutes": 105,
"total_appliances": 6,
"successfully_upgraded": 6,
"failed": 0
},
"controller_upgrades": [
{
"name": "Controller-Primary",
"previous_version": "6.1.2",
"new_version": "6.2.0",
"status": "Success",
"upgrade_time_minutes": 15,
"health_check": "Passed"
},
{
"name": "Controller-Secondary",
"previous_version": "6.1.2",
"new_version": "6.2.0",
"status": "Success",
"upgrade_time_minutes": 14,
"health_check": "Passed"
}
],
"gateway_upgrades": [
{
"name": "Gateway-East",
"previous_version": "6.1.2",
"new_version": "6.2.0",
"status": "Success",
"upgrade_time_minutes": 12,
"health_check": "Passed",
"active_sessions_migrated": 45
}
],
"rollback_performed": false,
"ticket_id": "CHG-2026-042"
}
Changelog
2026-03-04
- Initial version of the document