Upgrade instructions
- Email Log Server (Upgrade the Email Log Server)
- Forcepoint Security Manager Email Security Module (Upgrade the Forcepoint Security Manager Email Security Module)
- Forcepoint Appliances (Upgrade or migrate Forcepoint Appliances)
Upgrade the Email Log Server
If the Email Log Server is installed on a separate machine from the Forcepoint Security Manager, upgrade the Email Log Server using the Forcepoint Security Installer from the Forcepoint My Account downloads page.
- Download the Forcepoint Security Installer from the Forcepoint My Account downloads page.
- Run the installer and follow the installation wizard instructions for Log Server.
- The installer does not allow you to change existing configuration settings. Changes must be made after the upgrade.
- The upgrade installer stops the Email Log Server service, updates the Email Log Server and the Email Log Database, and then restarts the Email Log Server service.
Upgrade the Forcepoint Security Manager Email Security Module
Use the Forcepoint Security Installer from the Forcepoint My Account downloads page. The upgrade process includes Forcepoint DLP and the Email Log Server if it is installed on the Security Manager machine.
- Download the Forcepoint Security Installer from the Forcepoint My Account downloads page.
- Run the installer and ensure that Forcepoint Email Security and Forcepoint DLP are selected for upgrade.
The upgrade process includes Forcepoint DLP and the Email Log Server if it is installed on the Security Manager machine.
- Follow the installation wizard instructions.The Data Security module upgrade occurs after the Forcepoint Management Infrastructure upgrade. The Email Security module upgrade follows the Data Security module.
- The upgrade installer Configuration page shows the IP address of the database engine that manages the Email Log Database and logon type. If you have changed the database since your previous installation or upgrade, use this page to change these settings.
- The upgrade script stops the Email Security module service, updates the Email SQL Server databases (and Log Server if found), and then restarts the Email Security module service.
Upgrade or migrate Forcepoint Appliances
Appliance services are not available while the upgrade is being applied; email traffic should not be directed through appliances during the upgrade process. Disruption continues until the appliance completes its final restart. It is a best practice to perform the upgrade at a time when service demand is low.
X Series
For the X Series hardware appliance, see the Forcepoint X Series upgrade guide for upgrade instructions and command options on this platform.
If you are running an X10G security blade version 8.0.x, you must upgrade to version 8.3 before you upgrade to version 8.5.x. You cannot upgrade directly to version 8.5.x from version 8.0.x.
V Series
The version 8.3 and later V Series appliance introduced a command-line interface (CLI) to replace the Appliance Manager. For an introduction to the CLI, see the Forcepoint Appliances CLI Guide.
- Adequate disk space for Forcepoint Email Security (at least 8 GB required)
- Cached message log file size (cannot exceed 10 MB)
A backup and restore function to save existing appliance configuration settings is also included. You are prompted to contact Technical Support if any configuration file is missing.
When upgrading V Series appliances configured in a cluster, you must upgrade the primary box first, followed by all its secondary machines, one at a time.
Virtual appliance
The Forcepoint Email Security virtual appliance platform was re-architected at version 8.3. As a result, email security system data and email messages that reside on a pre-version 8.3 virtual appliance must be migrated off that appliance when you upgrade to a new version. The migration is accomplished via a command-line interface (CLI) migrate command performed on the version 8.5.x appliance.
Migration is necessary when upgrading any version of Forcepoint Email Security to Forcepoint Email Security in Azure. See Migrate to version 8.5.x.
Upgrade to version 8.5.x
- Download the v8.5.x Forcepoint Security Installer from the Forcepoint My Account downloads page and save it to a location from which it is easy to copy it to Windows servers hosting Forcepoint web, email, and data components, such as Forcepoint Security Manager (formerly TRITON Manager) and Log Server.
- Perform Upgrade preparation.
Skip to Step 4 if your deployment does not include Forcepoint Web Security.
- If your deployment includes Forcepoint Web Security, upgrade the policy source machine (Policy Broker/Policy Database) before upgrading web protection components on your security blades.
If the Full policy source machine is an X10G, upgrade that blade first. After upgrading the policy source machine, confirm that Policy Broker and Policy Database services are
running.
All Forcepoint components on the Full policy source machine are upgraded when Policy Broker/Policy Database are upgraded.
In all instances, you must upgrade Forcepoint Web Security components in the following order:- Full policy source
Upon completion, confirm that Policy Broker and Policy Database services are running. See Upgrading Web Protection Solutions.
- User directory and filtering (sometimes called policy lite) blades and non-appliance servers that host Policy Server
- Filtering only blades, and non-appliance servers that host Filtering Service
- Off-appliance servers hosting other web protection components (like Log Server or Logon Agent)
Successful upgrade of User directory and filtering and Filtering only appliances requires connectivity with the Policy Broker and Policy Database services.
- Full policy source
- If the appliance is registered in Forcepoint Security Manager, navigate to
Re-registration is a post-upgrade activity.
If the appliance is a User directory and filtering appliance, unregister the appliance. In the Web module of Forcepoint Security Manager, navigate to
and unregister the appliance.
and unregister the appliance. - Using the CLI, download and apply the v8.5.x upgrade:
- Download the upgrade file.
load upgrade
- Install the upgrade.
install upgrade
Select the v8.5.x upgrade file from the list.
When prompted, confirm to continue, then accept the subscription agreement.
The upgrade performs several system checks. The checks may take several minutes.
When installation is complete, the appliance automatically restarts.
If the upgrade fails, the blade server automatically rolls back to the prior version. If the source of the failure is not obvious or cannot be easily address, contact Forcepoint Technical Support.
If an error message displays indicating that ISO verification has failed, repeat the command with the following parameter added:--force <iso_file_name>
If installation seems to stop, allow the process to run for at least 90 minutes. If installation has not completed in that time, contact Forcepoint Technical Support .
- Download the upgrade file.
- Perform Post-upgrade activities.
- Return to Step 5 and upgrade remaining appliances.
- Upgrade the management server (if not upgraded when Policy Broker/Policy Database were upgraded), and other servers that host Forcepoint components. See Upgrading Forcepoint Security Solutions to v8.5.x.
Migrate to version 8.5.x
- Ensure that your source and destination appliances in the migration are configured in the same subnet. If they are not, the migration process may complete, but the new appliance interfaces are not correctly updated.
- You may need to reconfigure some network settings for the migration process. The version 8.3 and later virtual appliance supports three network interfaces: C, P1, and P2. In the
migration, the C interface retains the setting you assigned it during firstboot. The P1 and P2 interfaces (eth0 and eth1) inherit the settings of P1 and P2 when migrating from a V5000, or
the E1 and E2 settings when migrating from a V10000.
- Forcepoint Email Security in Azure supports only the C interface.
- Dynamic Host Configuration Protocol (DHCP) is not supported in version 8.3 and later. If your existing appliance has DHCP enabled, those network settings are not migrated. You must configure static network interface IP addresses for your appliance.
- Calculate the disk space used on your existing appliance and ensure that the new appliance has adequate disk space for all data you wish to migrate.
- Install a new version 8.5.x appliance.
The VMware virtual machine requires ESXi version 6.0 or later. See the topic titled Virtual Appliance Setup in the Forcepoint Appliances Getting Started Guide for detailed instructions for downloading and creating a virtual machine.
If you are migrating to an Azure deployment, skip to Step 4. See Installing Forcepoint Email Security in Microsoft Azure.
- On the source appliance, open a default port for your installation:
- On-premises: port 22
- Azure: port 22222
- On the new appliance (version 8.5.x), run the firstboot wizard to select appliance security mode (email), enter appliance management settings (e.g., C interface IP address, hostname, DNS
server IP addresses), and define some basic configuration settings (e.g., hostname, administrator password, system time zone). This step is not applicable in Azure.
See the topic titled Firstboot Wizard in the Forcepoint Appliances Getting Started Guide for detailed firstboot instructions.
Note: The source appliance hostname is not migrated to the destination appliance. The destination appliance uses the hostname set during firstboot, and then the upgrade process adds “-esg” to the end of the name. - Log on to the new version 8.5.x appliance CLI and elevate to config mode. If you are migrating to an Azure deployment, skip to Step 6.
- Set the appliance P1 interface using the set interface ipv4 command with the following
syntax:
set interface ipv4 --interface p1 --ip <ipv4_address> [--mask <ipv4_netmask>] --gateway <ipv4_address>
Setting this interface now can facilitate the migration process in the event that your current P1 interface is a virtual IP address, which will not be migrated.
The P1 interface you configure in the CLI is displayed as “E1” in the Forcepoint Security Manager. This step is not applicable in Azure.
Note:If you use a client interface like PuTTY to connect to the appliance, configure a longer connection session to accommodate a slightly lengthy migration process.
For example, in the PuTTY configuration interface, select the Connection category. Enter 30 in the Seconds between keepalives (0 to turn off) entry field.
- Download the appropriate hotfix for your source virtual appliance version from the Forcepoint My
Account Downloads page.
- Version 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, or 8.5.3 on-premises: Hotfix 300
- Version 8.3, 8.5.0, or 8.5.3 in Azure: Hotfix 301
- Contact Forcepoint Technical Support for assistance to apply the hotfix to your
previous version appliance.
See the ReadMe file packaged with the hotfix for more information about hotfix contents.
- In the version 8.5.x appliance CLI, ensure you are still in config mode and then log in to the email module:
login email
- You may perform the migration using the migrate CLI command on the version 8.5.x appliance with one of two options: interactive or silent.
Interactive mode is a step-by-step process that requires user input during the process.
The following displays an example of the interactive mode command:
Interactive mode requires the following information to be entered:- Source appliance (pre-version 8.5.x) IP address.
- Confirmation for the start of the migration.
- Selection of a mode option; Azure or On-Premises.
Select Azure if you are migrating to a version 8.5.x Azure appliance.
Select On-Premises if you are migrating to a version 8.5.x on-premises appliance.
The following displays the selection of On-Premises to migrate to an 8.5.x on-premises appliance:
- Selection of a transfer option.
If you migrate email message queues in addition to configuration settings, be aware that the transfer of large-volume queues may take a few hours to complete. The following image displays an example of the CLI for this section:
Silent mode requires the following information to be entered:- Source appliance (pre-version 8.5.x) IP address.
- Migration mode; Azure or On-Premises.
- Subscription key.
The subscription key is only required when the migration mode is Azure.
The second transfer option is automatically selected for silent mode, and the migration runs without the need for subsequent user input.
The following image displays an example of the CLI for silent mode:
Important: You must use your existing TRITON Manager or Forcepoint Security Manager Windows machine. Use of a newly installed TRITON Manager or Forcepoint Security Manager for an upgrade is not currently supported.Consider the following after you perform your virtual appliance migration process:- If you have an email DLP policy configured to use a TRITON AP-DATA or Forcepoint DLP quarantine action, and the Release Gateway on the page is set to Use the gateway that detected the incident, you should change the Release Gateway to the IP address of your new appliance. Otherwise, when a Data Security module administrator releases a pre-migration quarantined message, an “Unable to release incident” error is generated.
- Virtual IP address settings in filter actions are not retained after an appliance migration. You need to reconfigure virtual IP address settings manually.
Important: Please contact Technical Support if Forcepoint personnel have customized your appliance iptables settings. These customizations are not preserved by the migration process.