Upgrade preparation
Several issues should be considered, and certain steps taken, before beginning an email protection solution upgrade.
- Verify current deployment. Ensure that your current deployment is functioning properly before you begin the upgrade, and that required network interfaces have reliable connections to Forcepoint components and the Internet. The upgrade process does not repair a non-functioning system.
- Check the Certified Product Matrix to verify the supported operating systems for your initial and target versions. For example, version 8.5.3 does not support Windows 2008, which may cause errors when attempting to upgrade from a Windows 2008 operating system.
- Ensure that your existing deployment includes Forcepoint Security Solutions before you upgrade. If you have used the custom option to install Forcepoint Email Security, you must install Forcepoint Security Solutions as well, for data loss prevention capabilities. Consult the Forcepoint Security Manager Data Security module upgrade procedures, to ensure a smooth upgrade experience. See Upgrading to Forcepoint DLP v9.0, for details.
- If you are not already familiar with the preparation required for upgrading off-appliance components, review the requirements before upgrading your appliances.
- For web protection solutions, see Before upgrading v8.5.x web protection solutions and the Release Notes for the web protection solution to which you are upgrading: v8.5.0 Web Protection Release Notes or v8.5.3 WebProtection Release Notes.
- Review the Release Notes for the email protection solution to which you are upgrading: v8.5.0 Forcepoint Email Security Release Notes or v8.5.3 Forcepoint Email Security Release Notes.
- Verify the system requirements for the version to which you are upgrading to ensure your network can accommodate the new features and functions. See System requirements for this version for a detailed description.
- Prepare Windows components. See All Forcepoint solutions for an explanation of general preparations for upgrading the Windows components in your email protection system.
- Ensure that your firewall is configured correctly so that the ports needed for proper email protection operation are open. See Forcepoint Email Security ports for information about all email security system default ports, including appliance interface designations and communication direction.
- Prepare Microsoft Azure virtual network if you are upgrading to Forcepoint Email Security in Azure. See Installing Forcepoint Email Security in Microsoft Azure.
- Prepare for service disruption during upgrade. Appliance services are not available while the upgrade is applied, continuing until the appliance continues its final restart. Service is not disrupted while the off-box components are upgraded.
- If you are using link aggregation and plan to enable VLAN support after upgrade, disable link aggregation before enabling VLAN support on the blade or chassis. VLAN is only available on X Series appliances.
- Ensure you have the most recent hotfix installed for your version. Additionally, ensure that you have the following hotfixes installed or uninstalled, as appropriate.
- Uninstall the following hotfix:
- If you have any appliance with Hotfix 200 (Spectre/Meltdown Hotfix) installed, you must uninstall the hotfix before upgrading to v8.5.x. After upgrading, reinstall Hotfix 200 on the new version.
- Install the following hotfix:
- If you are a Forcepoint V5000 G2R2 customer upgrading from v8.4 to v8.5.x, you must install 8.4 Appliance Hotfix 101 (APP-8.4.0-101) before upgrading.
- Uninstall the following hotfix:
- Back up and remove tomcat log files and remove temporary manager files (optional; recommended to facilitate timely Forcepoint Security Manager upgrade). Use the following steps:
- Log onto the Windows server where the Forcepoint Security Manager resides.
- Navigate to the following directory:C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\logs
- Copy C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\logs to another location (for example, to C:\WebsenseBackup\Email ), and then delete it in the directory mentioned in step 2.
- Navigate to the following directory: C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\tempEsgUploadFileTemp
- Delete all the downloadFile* files.
- Inventory all configuration customizations and make a plan for restoring any that are required. Customizations are not retained through the upgrade process. After your upgrade,
contact Forcepoint Technical Support for assistance with restoring files from your pre-upgrade file system. Customizations can include:
- Custom patches
- Hand updated files
- Extra packages added
- Extra files added, binary or configuration
- Inventory customized HTML notification templates for the Personal Email Manager and Forcepoint Secure Messaging end-user portals. Any customizations you make to notification message templates are lost when upgrading to a new version of Forcepoint Email Security. After upgrade, you will need to reconfigure your customized templates.
- Back up appliance configuration and settings. It is critical to perform a full appliance configuration backup and save it to a filestore.
- Log onto the CLI and elevate to config mode.
- To perform an immediate full backup, use:
create backup now --location filestore_alias [--desc "<description>"]
- Include a unique description to make it easier to identify backup files that may have very similar names and dates.
- Immediately following your upgrade, it is necessary to install the latest hotfix for your version. See the Forcepoint My Account Downloads page to download the latest hotfix.
- Version 8.5.0 was the last supported software release for the V5K G2R2 appliance and the V10K G3R1 appliance. Hardware support will continue to be available throughout End-of-Life for these appliance models. Please refer to the related Tech Alert and the official Product Support Life Cycle matrix for details.
- The Forcepoint V5000 G2R2 appliance may encounter a memory shortage after upgrading to version 8.2 or later. This issue is the result of newer versions of software requiring additional memory, and was only captured under a heavy load. A DIMM Kit (2 x 8GB) is certified to expand the physical memory of the V5000 G2R2 Appliance. It is now generally available and recommended for V5000 G2R2 deployment moving to versions 8.2 and later. Please contact your sales representatives for purchase information. For more details, see the related Knowledge Base article and the DIMM Kit installation instructions.
- The upgrade to version 8.0.x and 8.2.x renamed the following default policy filters, policies, and rules:
- ThreatScope was renamed File Sandbox; at version 8.2.x, File Sandbox was renamed Advanced File Analysis.
- URL Scanning was renamed URL Analysis.
If you currently have custom rules with these new names, change them before the upgrade process begins, to avoid having duplicate rule names after the upgrade. The email security system may not function properly with the duplicate names.
- The upgrade to version 8.3 added the following default elements:
- Spoofed Email policy filter
- Spoof policy action
- Antispoof policy rule
- “url-analysis” default queue
If your system currently uses policy elements or a queue with these names, change them before the upgrade process begins, to avoid having duplicate names after the upgrade. The email security system may not function properly with the duplicate names.
- The upgrade to version 8.4 added the following default elements:
- Email Attachment policy filter
- Email Attachment policy action
- Email Attachment policy rule
- “attachment” default queue
Note:If your system currently uses policy elements or a queue with these names, you must change them before the upgrade process begins.
The version 8.5.x upgrade process includes a pre-check function that terminates the upgrade if duplicate policy components are detected.
- New presentation reports were added in version 8.3 for spoofed email and URL analysis data. Examples include:
- Outbound Spoofed Email Percentage Summary
- Top Inbound Spoofed Email Sender Domains
- Top Inbound Recipients of Spoofed Email
- Top Outbound Embedded URL Categories Detected
- Outbound Embedded URL Detection Volume Summary
The upgrade process may not complete successfully if you have existing custom reports with the same names as these reports.