Upgrade procedure

Important:

Appliance services are not available while the upgrade is being applied. Disruption continues until the appliance completes its final restart.

It is a best practice to perform the upgrade at a time when service demand is low.

Note:

  • OVA images downloaded before June 2, 2017 should use the migration process described in the KBA titled “Migrating from a v8.3 Email Virtual Appliance (initial image) to v8.4”.

  • OVA images (except for DLP Analytics Engine) can be upgraded to 8.5.3 directly from 8.3.0, 8.4.0, and 8.5.0.

  • DLP Analytics Engine OVA upgrade to 8.5.3 is not supported.

  • OVA images (except for DLP Analytics Engine) can be upgraded to 8.5.4 directly from 8.4.0, 8.5.0, and 8.5.3.

  • DLP Analytics Engine OVAs can be upgraded to 8.5.4 from 8.5.3.

  • The 8.5.3 or prior OVA file must use VMware version 6.x. The 8.5.4 OVA file may use VMware version 6.5 or later, or VMware version 7.x. You cannot upgrade a prior OVA version to 8.5.4 on VMware version 7.x.

Steps

  1. Download the v8.5.x Forcepoint Security Installer to a location where it is easy to copy it to Windows servers hosting Forcepoint web, email, and data components, such as TRITON Manager (renamed Forcepoint Security Manager in v8.4) and Log Server.
  2. Perform Pre-upgrade activities.
  3. If your deployment includes Forcepoint Web Security, you must upgrade the policy source machine (Policy Broker/Policy Database) before upgrading web protection components on your security blades. If the Full policy source machine is an X10G, upgrade that blade first. After upgrading the policy source machine, confirm that Policy Broker and Policy Database services are running.
    Important: All Forcepoint components on the Full policy source machine are upgraded when Policy Broker/Policy Database are upgraded.
    In all instances, you must upgrade Forcepoint Web Security components in the following order:
    1. Full policy source

      Upon completion, confirm that Policy Broker and Policy Database services are running. See Upgrading Web Protection Solutions.

    2. User directory and filtering (sometimes called policy lite) blades and non-appliance servers that host Policy Server.
    3. Filtering only blades, and non-appliance servers that host Filtering Service.
    4. Off-appliance servers hosting other web protection components (like Log Server or Logon Agent).
      Important: Successful upgrade of User directory and filtering and Filtering only appliances require connectivity with the Policy Broker and Policy Database services.
  4. If the appliance is registered in Forcepoint Security Manager, in Forcepoint Security Manager go to Appliances > Manage Appliance and unregister the appliance. Re-registration is a post-upgrade activity. If the appliance is a User directory and filtering appliance, unregister the appliance. In the Web module of Forcepoint Security Manager, go to the Settings > General > Policy Servers page and unregister the appliance.
  5. Download and apply the upgrade.
    1. Download the upgrade file.
      load upgrade
    2. Install the upgrade.
      install upgrade

      Select the upgrade file from the list. When prompted, confirm to continue, then accept the subscription agreement.

      The upgrade performs several system checks. The checks may take several minutes.

      When installation is complete, the appliance automatically restarts. If the upgrade fails, the blade server automatically rolls back to the prior version. If the source of the failure is not obvious or cannot be easily addressed, contact Forcepoint Technical Support.

      If an error message displays, indicating that ISO verification has failed, repeat the command with the parameter --force <iso_file_name>.

      If installation seems to stop, allow the process to run for at least 90 minutes. If installation has not completed in that time, contact Forcepoint Technical Support.

  6. Perform Post-upgrade activities.
  7. Return to Step 5 and upgrade remaining appliances.
  8. Upgrade the management server (if not upgraded when Policy Broker/Policy Database were upgraded), and other servers that host Forcepoint components. See Upgrading Web Protection Solutions and Upgrading Email Protection Solutions for instructions.