Limitations and restrictions

Once the incremental upgrade process has started, there are specific limitations that impact the way your software will function until all upgrades have been completed.

  • Once the upgrade process has been started, you will not be allowed to add new components to your configuration until the full upgrade has been completed.
  • After the primary Policy Broker is upgraded:
    • No data synchronization will occur to any replica Policy Brokers that have not also been upgraded. Replica Policy Brokers whose version does not match will not be allowed to synchronize policy and configuration data. When viewed on the Installed Policy Broker Instances table, the Last Policy Sync column will display an “out of sync” message for any replica Policy Broker that has not been upgraded.
    • If the mode of a replica Policy Broker that has not been upgraded is changed to either standalone or primary mode, any attempt to change the mode back to replica will fail.
    • If the primary Policy Broker is on a machine by itself, any web protection components connected to it may have switched to a secondary Policy Broker when the primary was being upgraded. You must restart those components to re-connect to the upgraded primary Policy Broker.

      To restart components on Windows or Linux servers, run the following command from the C:\Program Files\Websense\Web Security\ or /opt/ Websense/ directory:

      WebsenseAdmin restart

      On appliances, restart the Forcepoint Web Security or Forcepoint URL Filtering, Content Gateway (if applicable), and Network Agent modules. See the Forcepoint Appliances CLI Guide.

  • When accessing the Forcepoint Security Manager, you can only connect to Policy Server instances whose version is supported by the Security Manager.

    The supported versions are:

    • 8.1 (upgrades to v8.5 only)
    • 8.2 (not supported for upgrades to v8.5.4 or v8.5.5)
    • 8.3 (not supported for upgrades to v8.5.4 or v8.5.5)
    • 8.4 (not supported for upgrades to v8.5.5)
    • 8.5 (upgrades to v8.5.3 or v8.5.4 only)
    • 8.5.3 (upgrades to v8.5.4 or v8.5.5)
    • 8.5.4 (upgrades to v8.5.5)

    In addition, the Control Service instance on the Policy Server machine must be running.

    Important: Forcepoint Security Manager must have been upgraded to v8.5.x to support the connection to Policy Servers with earlier versions.
  • Automatic logon to a secondary Policy Server occurs if any of the following is true:
    • The primary Policy Server version is not supported.
    • The primary Policy Server is unreachable.
    • The Control Service on the primary Policy Server machine is not running. Logon will fail if any of the following is true:
    • Control Service on the management server is not running.
    • Policy Server is a supported version but unreachable and there is no reachable secondary Policy Server with a supported version.
    • The Policy Server version is not supported and there is no reachable secondary Policy Server with a supported version.
    • Control Service is not running on the Policy Server machine box and there is no reachable secondary Policy Server with a supported version.
    • The Control Service on the secondary Policy Server machine is not running.
  • When logged on to the Forcepoint Web Security module of the Forcepoint Security Manager,
    • Help, Find Answers information, field labels, and error messages are based on the version of theForcepoint Security Manager, even when the connection is to a Policy Server with a different version.
    • Some of the pages of the Security Manager may not be accessible if the Policy Server and Security Manager versions do not match.
    • In multiple Policy Server environments, use the information on the Policy Server Map on the Status > Deployment page to view the version of the primary Policy Server and associated secondary Policy Servers.
    • Health Alerts may appear indicating that services that have not been upgraded are not running. The service is running; the alert is triggered by the version mismatch.
  • The Status > Dashboard page, presentation reports, and application reports will display a notification message if the Forcepoint Security Manager version does not match the Log Database version. The Log Database is upgraded when Log Server is upgraded.
  • If a Policy Server version is not supported by the Security Manager or, if the Policy Server or the Control Service on the Policy Server machine is not running:
    • Switching to that Policy Server is not allowed.
    • Adding or editing that Policy Server is not allowed.
  • If a secondary Policy Server with a supported version is added or edited but the version does not match the primary Policy Server, Directory Services settings cannot be inherited.

    If the Inherit from the primary Policy Server option has been checked but the versions don’t match, the Directory Services settings for the secondary Policy Server are left available for entry. When it can be determined that the Policy Server versions match, the Directory settings are copied from the primary Policy Server to the secondary, and the settings for the secondary Policy Server are disabled.

    In the Forcepoint Security Manager, use the Policy Server Map on the Status > Deployment page to view the version of each Policy Server

  • If the version of the Log Database (upgraded when Log Server is upgraded) does not match the version of the various reporting tools:
    • Emails sent by presentation reports scheduled jobs will include specific text indicating that the versions are different.
    • Access to investigative reports is allowed, but may require entering a new Log Database connection in the Investigative Reports > Options page.

      If the database has been upgraded but investigative reports has not, you will need to connect to an older database. Until that happens, investigative report scheduled jobs may fail.

      Note that if the investigative reports tool has been upgraded, but the Log Database has not, the connection to the database will not require a change and scheduled jobs should run as expected.

    • WebCatcher will not run and an appropriate message will be added to the webcatcher.log file.
    • Use of the Import Sample Data option for Threats dashboard data on the Settings > Reporting > Dashboard page is not supported.
    • You can set up connections to a Log Database with the same version or a more recent version than the Log Server version on the Settings > Reporting > Log Server page. This can be used in distributed Log Server environments for Log Servers that have not yet been upgraded.
  • As a best practice, for upgrades from v7.8.4 or v8.1, if a Policy Server has been upgraded, avoid adding a policy exception that includes Referer sites. Policy Servers and Filtering Services that have not been upgraded will permit general access to the sites in the URL list.
  • Beginning With v8.4, data for each Policy Server (including those without a SIEM solution) is sent to all SIEM solutions configured for other Policy Servers assigned to the same Policy Broker.

    For upgrades from v8.3 (or earlier) to v8.4, v8.5, or v8.5.3:

    • If, in the earlier deployment, SIEM solutions have been configured for different Policy Servers under the same Policy Broker, an upgraded Policy Server will receive SIEM data from all Policy Servers under that Policy Broker.
    • To allow this feature to work correctly after upgrade in multiple Policy Server environments, stop all Event Message Brokers (located with each Policy Server) after the primary Policy Broker has been upgraded. As each Policy Server is then upgraded, Event Message Broker will be upgraded and restarted. During this process, some SIEM data will not be sent until the upgrade is complete.

Upgrades to v8.5.4 or v8.5.5 will continue to use the SIEM solution configurations from the earlier version. SIEM enhancements in v8.5.4 removed the sharing of SIEM data between Policy Servers.