Post-upgrade activities

Your system should have the same configuration after the upgrade process as it did before the upgrade. Any configuration changes can be made after the upgrade process is finished.

After your upgrade is completed, redirect email traffic through your system to ensure that it performs as expected.

Email hybrid service registration information is retained during the upgrade process, so you do not need to complete the registration again, unless you have performed an appliance migration (e.g, from a virtual appliance to a new virtual appliance). See Update appliance management interface configuration settings (for migration only), for information.

Perform the following tasks in the Forcepoint Security Manager or the CLI:

  • Install Email Security hotfixes
  • Repair Email Security registration with Data Security
  • Update data loss prevention policies and classifiers
  • Update Forcepoint databases
  • Update Email Security module backup file
  • Configure email DNS lookup
  • Increase vCPU and RAM allocation
  • Update appliance management interface configuration settings (for migration only)
  • Verify the system and configuration in the CLI

Install Email Security hotfixes

Navigate to the page Forcepoint My Account Downloads and select your version, then install the latest Windows and appliance hotfixes.

Alternatively, appliance hotfixes can be installed using the appliance command-line interface (CLI) or Forcepoint Security Appliance Manager (FSAM). See Forcepoint Appliances CLI Guide and Forcepoint Security Appliance Manager Help for more information.

Repair Email Security registration with Data Security

Re-register the new appliance with the Data Security module as follows:
  1. In the Email Security module, navigate to the page Settings > General > Data Loss Prevention and click Unregister.
  2. Register the appliance with the Data Security module; click Register.
  3. Navigate to the page Settings > General > Data Loss Prevention and ensure that the appliance management (C) interface IP address appears in the field Communication IP address.
  4. In the Data Security module, navigate to the page Settings > Deployment > System Modules and select the Email Security module.
  5. In the upper left corner, click Delete.
  6. Deploy the changes; click Deploy.
Update data loss prevention policies and classifiers
  1. Select the Data Security module.
  2. Follow the prompts that appear for updating data loss prevention policies and classifiers.

    Depending on the number of policies you have, this can take up to an hour. During this time, do not restart the server or any of the services.

  3. Deploy the changes; in the upper right of the Data Security module, click Deploy.

Update Forcepoint databases

From the page Settings > General > Database Downloads, click Update Now. This action performs an immediate database download update.

Update Email Security module backup file

Due to a change in implementation at version 8.1, the Security Manager Email Security module backup file format is not compatible with versions earlier than 8.1. You must remove any pre-version 8.1 backup log file before you create a new backup file for version 8.5.x. If you do not remove the old log file before you create the new file, the backup/restore function may not be accessible.

Use the following steps:
  1. Navigate to the following directory on the Security Manager machine:

    C:\Program Files (x86)\Websense\Email Security\ESG Manager

  2. Locate and remove the following file:

    ESGBackupRestore

    Copy this file to another location if you want to save it.

  3. Create a new backup file on the page Settings > General > Backup/Restore.

Configure email DNS lookup

The virtual appliance firstboot process includes the entry of DNS server settings. You can enhance DNS lookup query performance by configuring a second set of DNS server entries specifically for the Email Security module. Use the following CLI commands, as needed:
set interface dns --module email --dns1 <DNS_IP>
set interface dns --module email --dns2 <DNS_IP>
set interface dns --module email --dns3 <DNS_IP>

Not applicable for Forcepoint Email Security in Azure.

Increase vCPU and RAM allocation

If you upgraded from version 8.3 or lower to version 8.5.x, it is necessary to increase the vCPU and RAM allocations on your virtual appliance, in order to ensure adequate system resources.

See the Knowledge Base article Resource Upgrade on OVA and Forcepoint Appliances Getting Started Guide for more information.

Update appliance management interface configuration settings (for migration only)

If your upgrade to version 8.5.x included a data migration, you need to re-configure some functions that use the appliance management (C) interface after the migration and upgrade are complete. The management (C) interface was added for virtual appliance users at version 8.3.

Forcepoint Email Security in Azure supports only the C interface. These configuration settings include:
  • Data loss prevention
  • Email hybrid service
  • Personal Email Manager notification message
  • Update Log Database
  • Reset Forcepoint Email Security license (only if Forcepoint Security Manager was migrated to Azure)
  • Move Forcepoint DLP database (only if Forcepoint Security Manager was migrated to Azure)

Data loss prevention

Re-register the new appliance with the Data Security module as follows:
  1. Select the Email Security module and navigate to the page Settings > General > Data Loss Prevention.
  2. Remove DLP registration; click Unregister.
  3. In the Data Security module, navigate to the page Settings > Deployment > System Modules.
  4. Select the Email Security module.
  5. In the upper left corner, click Delete.
  6. On the Email Security module page Settings > General > Data Loss Prevention, ensure the appliance management (C) interface IP address appears in the field Communication IP address.
  7. Register the appliance with the Data Security module; click Register.
  8. Select the Data Security module and click Deploy.

Email hybrid service

This action is required only if you used the C interface on a hardware appliance that you have migrated.

Re-register the new appliance with the email hybrid service as follows:
  1. Select the Email Security module and navigate to the page Settings > Hybrid Service > Hybrid Configuration.
  2. At the bottom of the Hybrid Configuration page, click Edit.
  3. Replace the SMTP server IP address with the new C interface IP address.
  4. Click OK.

Personal Email Manager notification message

This action is required only if you used the C interface on a hardware appliance that you have migrated.

You may need to enter your destination appliance management interface IP address for the proper distribution of Personal Email Manager notification messages.
  1. Select the Email Security module and navigate to the page Settings > Personal Email > Notification Message.
  2. In the text field IP address or hostname, enter the new appliance management (or C) interface.
  3. Click OK.

If you had previously customized HTML notification templates for the Personal Email Manager, your customizations were lost when upgrading to the new version; reconfigure your templates on the page Settings > Personal Email > Notification Message.

Update Log Database

If you encounter the following warnings after your upgrade, you may need to update the Email Log Database with new values for appliance hostname, management interface IP address, C interface IP address, and device ID:

You may encounter this situation if you use Windows authentication. In that case, the migration script cannot update the C interface, resulting in this message.
  1. Open SQL Server Management Studio.
  2. Click New Query.
  3. In the query window, enter the following command:
    USE [esglogdb76]

    Select the esg_device_id, admin_manage_ip, and device_c_port_ip from the dbo.esg_device_list.

  4. Enter GO.
  5. Locate the esg_device_id associated with either the admin_manage_ip or the device_c_port_ip of the source appliance.
  6. Execute the following command using the values you obtained in the previous steps:
    UPDATE dbo.esg_device_list SET esg_name = '<host name>', admin_manage_ip = '<appliance management IP address>', device_c_port_ip = '<C IP address>' WHERE esg_device_id = '<device id>'
  7. Enter GO.
  8. Run the query.

Reset Forcepoint Email Security license (only if Forcepoint Security Manager was migrated to Azure)

If you migrated Forcepoint Security Manager to Azure, it is necessary to reset the Forcepoint Email Security licenses for each of your appliances. Contact Forcepoint Technical Support Forcepoint Technical Support for assistance with this step.

After Technical Support has reset your licenses, navigate to Settings > General > Email Appliances and add each of your appliances. See Forcepoint Email Security Administrato Help .

Move Forcepoint DLP database (only if Forcepoint Security Manager was migrated to Azure)

If you migrated Forcepoint Security Manager to Azure, it is necessary to move your Forcepoint DLP database to the new Forcepoint Security Manager in Azure. See How do I move the TRITONAP-DATA database to another MS SQLServer? for instructions.

Verify the system and configuration in the CLI

The following table details system and configuration checks made in the CLI. See the Forcepoint Appliances CLI Guide for more information.
  • Log on to the CLI and elevate to config mode.
    Action Command
    Display system information
    show appliance info

    Results may be similar to:

    Uptime: 0 days, 2 hours, 13 minutes
    Hostname: webapp.example.com
    Hardware_platform: X10G G2
    Appliance_version: 8.5.0
    Mode: Forcepoint Web Security
    Policy_mode: Filtering only
    Policy_source_ip: 10.222.21.10
    Display the upgrade history
    show upgrade history
    Display the appliance and module status
    show appliance status
    show <module>
    If expected system services are not running, restart the module that hosts the services.
    restart <module>
    Display network interface settings
    show interface info

    If you have bonded interfaces, note that the names used to indicate the type of bonding have changed. For example, load-balancing is now balance-rr.

    Check and synchronize the system time, if necessary
    show system ntp
    show system clock
    show system timezone
    If the clock is off and NTP is configured, sync with:
    sync system ntp

    Otherwise, to sync when the time is set manually, see “System time and time synchronization with Forcepoint servers” in Forcepoint Appliances Getting Started.

    Configure size and frequency values for archiving commands
    set log archive
    Check SNMP polling and alerting settings (if you integrate with a SIEM or SNMP server)
    show snmp config
    show trap config
    show trap events

    These commands are not supported in Forcepoint Email Security in Azure.