Potential SIEM data loss for upgrades to v8.5.4 or v8.5.5

SIEM Integration feature enhancements may result in the loss of SIEM data during an incremental upgrade to v8.5.4 or v8.5.5. Note that there is no loss of reporting log data during an incremental upgrade.

Follow these steps if you plan to upgrade incrementally and are concerned with SIEM data loss.

Steps

  1. SIEM Integration must first be configured for all Policy Servers in your deployment. Use Forcepoint Security Manager to enable and configure SIEM Integration for any Policy Servers for which SIEM is not currently configured.
    The current SIEM feature was designed to send data for each Policy Servers assigned to the same Policy Broker to all SIEM solutions configured for those Policy Servers. This step is required to avoid losing data for a Policy Server not specifically configured for SIEM.
  2. Download Forcepoint_Web_Security_854_Pre_Upgrade_Tool.zip from the v8.5.4 Downloads page, unzip it, and locate the package appropriate for the Forcepoint Web Security version you are upgrading from.
    To download the incremental upgrade tool:
    1. Log on to the Forcepoint Downloads page.
    2. Select Web Security from the Product.
    3. Select On-Premises (Web) from the Product Options.
    4. Click Web v8.5.x Incremental Upgrade Tool from the Installer list.
      Note: Only latest version is available under Installer list. If you want to select the previous versions, then use Click here from On-Premises (Web).
    5. Click Download in the Product Installer page to download the package installer of incremental upgrade tool Forcepoint_Web_Security_854_Pre_Upgrade_Tool.zip.
    Note:

    When upgrading to v8.5.5:

    • From 8.5.3, use the appropriate v8.5.4 package. For example, if the upgrade is on Windows, use Web_Security_854_Pre_Upgrade_from_853_Windows.zip.

    • From 8.5.4, no additional steps are required. The same v8.5.4 functionality is included in v8.5.5.

    • ReadMe.txt
    • Web_Security_854_Pre_Upgrade_from_840_Windows.zip
    • Web_Security_854_Pre_Upgrade_from_850_Windows.zip
    • Web_Security_854_Pre_Upgrade_from_853_Windows.zip
    • Web_Security_854_Pre_Upgrade_from_840_Linux.tar.gz
    • Web_Security_854_Pre_Upgrade_from_850_Linux.tar.gz
    • Web_Security_854_Pre_Upgrade_from_853_Linux.tar.gz
    • Web_Security_854_Pre_Upgrade_from_840_Appliance.rpm
    • Web_Security_854_Pre_Upgrade_from_850_Appliance.rpm
    • Web_Security_854_Pre_Upgrade_from_853_Appliance.rpm
  3. Copy the appropriate zip file to each machine on which a Policy Server is installed.
  4. Follow the instructions in the ReadMe to run the script on each machine.
    This process will reset the SIEM Integration functionality back to the pre-v8.4 functionality, when the SIEM Integration process was initially enhanced.
    Note that pre-8.4 functionality did not support:
    • Forwarding hybrid log data to a SIEM Integration.
    • Cloud application log data for use in cloud app reports.
    • The following keys as part of a customized SIEM format string:
      • loginID
      • logRecordSource (added for Hybrid data).
      • cloudAppName (added for cloud app data).
      • cloudAppID (added for cloud app data).
      • cloudAppRiskLevel (added for cloud app data).
      • cloudAppType (added for cloud app data).
    • Forwarding data to multiple SIEM solutions.

    Once the flag is re-set, data will be forwarded only to the SIEM Integration configured for that Policy Server.

  5. Start the incremental upgrade process, beginning with Policy Broker. Follow the instructions in Steps for upgrading incrementally.
  6. When each Policy Server is upgraded, the reset will be reversed and the new v8.5.4 functionality will be enabled. See Forcepoint Security Information Event Management (SIEM) Solutions.