Perform post-upgrade activities

  • Appliance post-upgrade activities
  • TRITON AP-EMAIL post-upgrade activities
  • Content Gateway post-upgrade activities (TRITON AP-WEB only)

Appliance post-upgrade activities

Depending on the Web or Email module installed on your appliance, after upgrade perform the following:

In the CLI

Elevate to config mode and perform system checks and verify some configuration settings.
  • System information
    show appliance info
    Results may be similar to:
    Uptime : 0 days, 2 hours, 13 minutes
Hostname : webapp.example.com
Hardware_platform : V10000 G4
Appliance_version : 8.5.x
Mode : TRITON AP-WEB
Policy_mode : Filtering only
Policy_source_ip : 10.222.21.10
  • Upgrade history
    show upgrade --history
  • Appliance status
    show appliance status
show <module>
    If expected system services are not running, restart the module that hosts the service
    restart <module>
  • Network interface settings
    show interface info

    If you have bonded interfaces, note that the names used to indicate the type of bond have changed. For example, load-balancing is now “balance-rr”.

  • Check and synchronize the system time
    show system ntp
show system clock
show system timezone

    If the clock is off and NTP is configured, sync with:

    sync system ntp

    Otherwise, to sync when the time is set manually, see System time and time synchronization with TRITON servers in Forcepoint Appliances Getting Started.

  • Configure a filestore. A filestore is an off-appliance location for storing appliance-related files, including backup, log, and configuration files. Establishing a filestore is essential for saving and loading files.

    A filestore definition includes:

    • A unique name, known as the filestore alias.
    • The IP address of the filestore host and the port on which to connect.
    • The directory location (path or share) on the host.
    • The protocol to use to connect and move files to and from the filestore. Supported protocols include ftp, tftp, and samba.
    • Optionally, the name of a user (account) with permissions on the filestore.
    To define a filestore:
    set filestore --alias <filestore_alias>
--type <ftp|tftp|samba> --host <ip_address>
--path <share_directory>
[--user <user_name>] [--port <port>]

    Example:

    set filestore --alias fstore --type samba
--host 10.123.48.70 --path myfiles/myfolder
--user jdoe
  • If you integrate with a SIEM, configure SNMP polling and alerting. Use the documentation created in the pre-upgrade activity. See, also, SNMP polling and alerting in Forcepoint Appliances Getting Started.

In Forcepoint Security Manager

  • Register your appliances. Log on to Forcepoint Security Manager and go to the Appliances tab to register your appliances.
  • If you have User directory and filtering appliances, in Forcepoint Security Manager go to the Web module Settings > General > Policy Servers page, and add the Policy Server instances.

TRITON AP-EMAIL post-upgrade activities

Your system should have the same configuration after the migration as it did before the migration.

Perform the following tasks in the Forcepoint Security Manager:

  • Redirect email traffic through your system to ensure that it performs as expected.
  • Update data loss prevention policies and classifiers
  • Update Forcepoint databases
  • Update Email module backup file
  • Update appliance management interface configuration settings
  • Configure email DNS lookup
  • Update Log Database

Update data loss prevention policies and classifiers

  1. In TRITON Manager, select the Data module.
  2. Follow the prompts for updating data loss prevention policies and classifiers. Depending on the number of policies you have, this can take up to an hour. During this time, do not restart the server or any of the services.
  3. When finished, click Deploy.

Update Forcepoint databases

Click Update Now in the Settings > General > Database Downloads page. This action performs an immediate database download update.

Update Email module backup file

Due to a change in implementation at v8.1, the TRITON Manager Email module backup file format is not compatible with versions earlier than 8.1. You must remove any pre-version 8.1 backup log file before you create a new backup file for v8.x. If you don’t remove the old log file before you create the new file, the backup/restore function can become inaccessible.

Use the following steps:

  1. Navigate to the following directory on the TRITON management server machine:C:\Program Files (x86)\Websense\Email Security\ESG Manager
  2. Locate and remove the following file: ESGBackupRestore

    Copy this file to another location if you want to save it.

  3. Create a new backup file for v8.3 on the Settings > General > Backup/Restore page.

Update appliance management interface configuration settings

If your upgrade to v8.3 included a data migration, you need to re-configure some functions that use the appliance management (C) interface after the migration and upgrade are complete. The management (C) interface is new for virtual appliance users at v8.3.

Appliance registration

In the EMAIL module of TRITON Manager, go to Settings > General > Email Appliances and click on the host name link to delete the appliance. Log off and then back on to TRITON Manager and add the appliance’s new C interface IP address.

Data loss prevention

Re-register the TRITON AP-EMAIL appliance with the Data module as follows:

  1. Select the TRITON Email module and navigate to the Settings > General > Data Loss Prevention page.
  2. Click Unregister to remove the DLP registration.
  3. In the TRITON Data module, navigate to the Settings > Deployment > System Modules page. Select the TRITON AP-EMAIL module.
  4. In the upper left corner, click Delete.
  5. In the TRITON Email module Settings > General > Data Loss Prevention page, ensure the appliance management (C) interface IP address appears in the Communication IP address field.
  6. Click Register to register the appliance with the Data module.
  7. Select the Data module and click Deploy.

Email hybrid service

Re-register the TRITON AP-EMAIL appliance with the email hybrid service as follows:

  1. Select the TRITON Email module and navigate to the Settings > Hybrid Service > Hybrid Configuration page.
  2. Click Edit at the bottom of the page.
  3. Replace the SMTP server IP address with the new C interface IP address.
  4. Click OK.

Personal Email Manager notification message

You may need to enter your destination appliance management interface IP address for the proper distribution of Personal Email Manager notification messages.

  1. Select the TRITON Email module and navigate to the Settings > Personal Email > Notification Message page.
  2. Enter the new appliance management (or C) interface in the IP address or hostname entry field.
  3. Click OK.

Configure email DNS lookup

The appliance firstboot process includes the entry of DNS server settings. You can enhance DNS lookup query performance by configuring a second set of DNS server entries specifically for the Email module. Use the following CLI commands, as needed:
set interface dns --module email --dns1 <DNS_IP>
set interface dns --module email --dns2 <DNS_IP>
set interface dns --module email --dns3 <DNS_IP>

Update Log Database

If you encounter the following warnings after your upgrade, you may need to update the Email Log Database with new values for appliance hostname, management interface IP address, C interface IP address, and device ID:

image

  1. Open SQL Server Management Studio.
  2. Click New Query.
  3. In the query window, enter the following command:
    USE [esglogdb76]

    Select the esg_device_id, admin_manage_ip, and device_c_port_ipfrom the dbo.esg_device_list.

  4. Enter GO.
  5. Locate the esg_device_id associated with either the admin_manage_ip or the device_c_port_ip of the source appliance.
  6. Execute the following command using the values you obtained in the previous steps:
    UPDATE dbo.esg_device_list SET esg_name = '<host name>',
admin_manage_ip = '<appliance management IP address>',
device_c_port_ip = '<C IP address>' WHERE esg_device_id =
'<device id>'
  7. Enter GO.
  8. Run the query.

Content Gateway post-upgrade activities (TRITON AP-WEB only)

After you have finished upgrading components, perform the following.

  1. If at the start of the upgrade process you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.
  2. Register Content Gateway nodes in the Web module of TRITON Manager on the Settings > Content Gateway Access page.

    Registered nodes add a link to the Content Gateway manager logon portal and provide a visual system health indicator: a green check mark or a red X.

  3. Configure Content Gateway system alerts on the Settings > Alerts > System page in the Web module of the TRITON Manager.

    This subset of Content Gateway system alerts can be configured to be sent to administrators, in addition to being displayed in the Content Gateway manager.

  4. If you use SSL support:

    1. If your clients don’t yet use a SHA-1 internal Root CA, create and import a SHA-1 Root CA into all affected clients. See Internal Root CA in Content Gateway Help.
    2. Using the notes you compiled prior to upgrade, rebuild your Static Incident list.
  5. If you use proxy user authentication, review the settings on the Global Authentication Options page (Configure > Security > Access Control > Global Configuration Options).
  6. If you use IWA user authentication, confirm that the AD domain is still joined. Go to Monitor > Security > Integrated Windows Authentication. If it is not joined, rejoin the domain. Go to Configure > Security > Access Control > Integrated Windows Authentication.
  7. If you use Rule-Based Authentication, review your configuration. Go to Configure > Security > Access Control.

    1. Check the Domains page.

      1. IWA domains that were joined before upgrade should still be joined.
      2. LDAP and Legacy NTLM domains should be listed.
    2. Check each rule.

      1. Go to the Authentication Rules page and enter the editor.
      2. Select each rule and check the configuration.
      3. For Multiple Realm Authentication rules that used Cookie Mode Caching, check the cookie list on the Global Authentication Option page.
      4. Check that the expected domain is in the Auth Sequence list.

      Important: The Rule-Based Authentication feature is very rich and can satisfy many user authentication requirements. To make best use of it, please refer to Rule-Based Authentication.

  8. If a web protection and data protection solution were deployed together, confirm that Content Gateway has automatically re-registered with the Data module of the TRITON Manager. If it has not, manually re-register.

    1. Ensure that the Content Gateway and the TRITON management server system clocks are synchronized to within a few minutes.
    2. In the Content Gateway manager:

      1. Go to Configure > My Proxy > Basic, ensure that Web DLP: Integrated on-box is enabled, and click Apply.
      2. Next to Integrated on-box, click the Not registered link. This opens the Configure > Security > Web DLP registration screen.
      3. Enter the IP address of the TRITON management server.
      4. Enter a user name and password for logging onto the TRITON Manager. The user must be a TRITON AP-DATA (formerly Data Security) administrator with Deploy Settings privileges.
      5. Click Register. If registration is successful, a message confirms the result and prompts you to restart Content Gateway. If registration fails, an error message indicates the cause of failure. Correct the problem and perform the registration process again.
  9. If web and data protection products were deployed together and upgraded, you may need to remove stale entries of Content Gateway instances registered in TRITON AP-DATA system modules:

    1. Log onto the TRITON console.
    2. Select the Data tab and navigate to the Settings > Deployment > Modules page.
    3. Listed are 2 instances of each Content Gateway module registered with the system. Delete the older instances. You can identify these by looking at the version number.
    4. Click Deploy.
  10. If web and data protection products were deployed together and configured to use the on-box policy engine, and then reconfigured during upgrade or later to use the ICAP interface, the Content Gateway instance may need to be deleted from the list of TRITON AP-DATA system modules or the deployment will fail. Go to the Data > Settings > Deployment > System Modules page, click on the affected Content Gateway instance to open its Details page, click Delete and then Deploy.
  11. If your v7.8.4 or higher explicit proxy deployment was customized to support an external load balancer with IWA user authentication, the configuration is preserved during upgrade. You do not need to re-apply the custom configuration. You should, however, test your deployment to verify that the load balancer is performing as expected.
  12. With v8.2.x, the basic functionality for 2 features was changed slightly:

    • Send authentication to parent proxy, configured on the Configure > My > Proxy > Basic > General page
    • X-Forwarded-For, enabled on the Configure > Protocols > HTTP >Privacy

    In both cases, header values are forwarded only to a configured parent proxy.

    If you are upgrading from v7.8.4, v8.0, or v8.1, enabled either of these settings in your previous version, and are expecting header values to be forwarded for all outbound requests, add the appropriate variable to your records.config file (in the /opt/WCG/config directory, by default).
    • To add the user name to outbound requests, add:
      CONFIG proxy.config.http.insert_xua_to_external INT
    • To send X-Forwarded-For header values directly to the Internet, add:
      CONFIG proxy.config.http.insert_xff_to_external INT 1
  13. If you were using v7.8.4, v8.0, or v8.1 with custom cipher list settings using these variables in records.config:
    proxy.config.ssl.server.cipherlist 
proxy.config.ssl.client.cipherlist
    you need to reconfigure the custom settings because these variables were replaced in v8.2.

    • proxy.config.ssl.server.cipherlist_suffix replaces 
proxy.config.ssl.server.cipherlist
    • proxy.config.ssl.client.cipherlist_suffix replaces 
proxy.config.ssl.client.cipherlist

    The non-default cipher list in use prior to upgrade is saved for reference as a comment in records.config. Default values for the new variables are put place during the upgrade and can be reconfigured after the upgrade is complete.

    See Content Gateway Manager Help for more information on how these new variables now work with proxy.config.ssl.server.cipherlist_option and proxy.config.ssl.client.cipherlist_option to create cipher lists.

  14. The Tunnel Skype option on the Configure > Protocols > HTTPS page of Content Gateway Manager is no longer available in v8.3. Variables stored in the records.config file that apply to Skype are removed during the upgrade process.
  15. The settings on the Configure > Networking > Connection Management > Low Memory Mode page of Content Gateway manager are no longer available in v8.3. Corresponding variables stored in the records.config file are removed by the upgrade.
  16. If LOW encryption cipher suites was previously selected on the Configure > SSL > Decryption/Encryption > Inbound or Outbound pages of Content Gateway manager, the v8.3 upgrade process will change the setting to MEDIUM. LOW is no longer a valid option on those pages.

    The corresponding records.config variables are also updated by the upgrade.

  17. During upgrade to v8.3, the Enable the certificate verification engine on the Configure > SSL >Validation > General page of Content Gateway manager will be changed to ON for any customer who does not already have the feature enabled.
  18. In v8.3, improvements were made to the Adaptive Redirection Module (ARM). The ARM component now utilizes iptables, policy routing, and transparent sockets which are configured during product installation or upgrade.

    The Content Gateway Manager has been changed to reflect these improvements.

    • The Network Address Translation (NAT) section of the Configure >Networking > ARM > General page has been renamed to Redirection Rules to better reflect the contents of the table.
    • Text on that page has also been updated.

      To facilitate interception and redirection of traffic:

    • IPTables rules are configured during upgrade.

      • Forcepoint IPTables chains are inserted.
      • Forcepoint IPTables rules are also inserted into existing chains.
      • Forcepoint chains and rules use “NC_” as a prefix for identification purposes.
    • IPTables rules configured outside of Content Gateway Manager must

      • Be inserted after Forcepoint rules.
      • Never be added to Forcepoint chains.
    • Forcepoint chains and rules should never be edited.
    • If customized chains or rules impact the Forcepoint configuration, navigate to /opt/wcg/bin and execute the following to re-establish the Forcepoint IPTables chains and rules:
      netcontrol.sh -r

For some customers, the GRE Packet Return Method (GRE return) may not be as expected. In all cases, GRE return, as documented by Cisco (see this site), is fully functional. However, tunneling back through a router (enhanced GRE tunnel return) now requires a specific kernel module. This module is only available on a Forcepoint appliance. Contact Forcepoint Technical Support to enable this functionality in a software deployment.

To provide more appropriate statistical data for the new ARM, the Bypass Statistics now provide information for:

  • Total Packets Bypassed
  • Packets Dynamically Bypassed
  • DNS Packets Bypassed
  • Packets Shed