Post-upgrade activities

Your system should have the same configuration after the upgrade process as it did before the upgrade. Any configuration changes can be made after the upgrade process is finished.

After your upgrade is completed, redirect email traffic through your system to ensure that it performs as expected.

Email hybrid service registration information is retained during the upgrade process, so you do not need to complete the registration again, unless you have performed an appliance migration (e.g, from a virtual appliance to a new virtual appliance). See Update appliance management interface configuration settings (for migration only) for information.

Perform the following tasks in the Forcepoint Security Manager or the CLI:

Install Email Security hotfixes

Repair Email Security registration with Data Security

Update data loss prevention policies and classifiers

Update Forcepoint databases

Update Email Security module backup file

Configure email DNS lookup

Increase vCPU and RAM allocation

Update appliance management interface configuration settings (for migration only)

Verify the system and configuration in the CLI

Install Email Security hotfixes

Navigate to the page Forcepoint My Account Downloads and select your version, then install the latest Windows and appliance hotfixes.

Alternatively, appliance hotfixes can be installed using the appliance command-line interface (CLI) or Forcepoint Security Appliance Manager (FSAM). See Forcepoint Appliances CLI Guide and Forcepoint Security Appliance Manager Help for more information.

Repair Email Security registration with Data Security

Re-register the new appliance with the Data Security module as follows:

In the Email Security module, navigate to the page Settings > General > Data Loss Prevention and click Unregister.

Navigate to the page Settings > General > Data Loss Prevention and ensure that the appliance management (C) interface IP address appears in the field Communication IP address.

In the Data Security module, navigate to the page Settings > Deployment > System Modules and select the Email Security module.

In the upper left corner, click Delete.

Deploy the changes; click Deploy.

Update data loss prevention policies and classifiers

Select the Data Security module.

Follow the prompts that appear for updating data loss prevention policies and classifiers.

Depending on the number of policies you have, this can take up to an hour. During this time, do not restart the server or any of the services.

Deploy the changes; in the upper right of the Data Security module, click Deploy.

Update Forcepoint databases

From the page Settings > General > Database Downloads, click Update Now.

This action performs an immediate database download update.

Update Email Security module backup file

Due to a change in implementation at version 8.1, the Security Manager Email Security module backup file format is not compatible with versions earlier than 8.1. You must remove any pre-version 8.1 backup log file before you create a new backup file for version 8.5.x. If you do not remove the old log file before you create the new file, the backup/restore function may not be accessible.

Use the following steps:

Navigate to the following directory on the Security Manager machine:

C:\Program Files (x86)\Websense\Email Security\ESG Manager

Locate and remove the following file:

ESGBackupRestore

Copy this file to another location if you want to save it.

Create a new backup file on the page Settings > General > Backup/Restore.

Configure email DNS lookup

The virtual appliance firstboot process includes the entry of DNS server settings. You can enhance DNS lookup query performance by configuring a second set of DNS server entries specifically for the Email Security module. Use the following CLI commands, as needed:

set interface dns --module email --dns1 <DNS_IP>

set interface dns --module email --dns2 <DNS_IP>

set interface dns --module email --dns3 <DNS_IP>

Not applicable for Forcepoint Email Security in Azure.

Increase vCPU and RAM allocation

If you upgraded from version 8.3 or lower to version 8.5.x, it is necessary to increase the vCPU and RAM allocations on your virtual appliance, in order to ensure adequate system resources.

See the Knowledge Base article Resource Upgrade on OVA and Forcepoint Appliances Getting Started Guide for more information.

Update appliance management interface configuration settings (for migration only)

If your upgrade to version 8.5.x included a data migration, you need to re-configure some functions that use the appliance management (C) interface after the migration and upgrade are complete. The management (C) interface was added for virtual appliance users at version 8.3.

Forcepoint Email Security in Azure supports only the C interface.

These configuration settings include:

Data loss prevention

Email hybrid service

Personal Email Manager notification message

Update Log Database

Reset Forcepoint Email Security license (only if Forcepoint Security Manager was migrated to Azure)

Move Forcepoint DLP database (only if Forcepoint Security Manager was migrated to Azure)

Data loss prevention

Re-register the new appliance with the Data Security module as follows:

Select the Email Security module and navigate to the page Settings > General > Data Loss Prevention.

Remove DLP registration; click Unregister.

In the Data Security module, navigate to the page Settings > Deployment > System Modules.

Select the Email Security module.

In the upper left corner, click Delete.

On the Email Security module page Settings > General > Data Loss Prevention, ensure the appliance management (C) interface IP address appears in the field Communication IP address.

Select the Data Security module and click Deploy.

Email hybrid service

This action is required only if you used the C interface on a hardware appliance that you have migrated.

Re-register the new appliance with the email hybrid service as follows:

Select the Email Security module and navigate to the page Settings > Hybrid Service > Hybrid Configuration.

At the bottom of the Hybrid Configuration page, click Edit.

Replace the SMTP server IP address with the new C interface IP address.

Click OK.

Personal Email Manager notification message

This action is required only if you used the C interface on a hardware appliance that you have migrated.

You may need to enter your destination appliance management interface IP address for the proper distribution of Personal Email Manager notification messages.

Select the Email Security module and navigate to the page Settings > Personal Email > Notification Message.

In the text field IP address or hostname, enter the new appliance management (or C) interface.

Click OK.

If you had previously customized HTML notification templates for the Personal Email Manager, your customizations were lost when upgrading to the new version; reconfigure your templates on the page Settings > Personal Email > Notification Message.

Update Log Database

If you encounter the following warnings after your upgrade, you may need to update the Email Log Database with new values for appliance hostname, management interface IP address, C interface IP address, and device ID:

You may encounter this situation if you use Windows authentication. In that case, the migration script cannot update the C interface, resulting in this message.

Open SQL Server Management Studio.

Click New Query.

In the query window, enter the following command:

USE [esglogdb76]

Select the esg_device_id, admin_manage_ip, and device_c_port_ip from the dbo.esg_device_list.

Enter GO.

Locate the esg_device_id associated with either the admin_manage_ip or the device_c_port_ip of the source appliance.

Execute the following command using the values you obtained in the previous steps:

UPDATE dbo.esg_device_list SET esg_name = '<host name>', admin_manage_ip = '<appliance management IP address>', device_c_port_ip = '<C IP address>' WHERE esg_device_id = '<device id>'

Enter GO.

Run the query.

Reset Forcepoint Email Security license (only if Forcepoint Security Manager was migrated to Azure)

If you migrated Forcepoint Security Manager to Azure, it is necessary to reset the Forcepoint Email Security licenses for each of your appliances. Contact Forcepoint Technical Support for assistance with this step.

After Technical Support has reset your licenses, navigate to Settings > General > Email Appliances and add each of your appliances. See Forcepoint Email Security Administrator Help.

Move Forcepoint DLP database (only if Forcepoint Security Manager was migrated to Azure)

If you migrated Forcepoint Security Manager to Azure, it is necessary to move your Forcepoint DLP database to the new Forcepoint Security Manager in Azure. See How do I move the TRITON AP-DATA database to another MS SQL Server? for instructions.

Verify the system and configuration in the CLI

The following table details system and configuration checks made in the CLI. See the Forcepoint Appliances CLI Guide for more information.

Log on to the CLI and elevate to config mode.


Action	Command
Display system information	show appliance info Results may be similar to: Uptime: 0 days, 2 hours, 13 minutes Hostname: webapp.example.com Hardware_platform: X10G G2 Appliance_version: 8.5.0 Mode: Forcepoint Web Security Policy_mode: Filtering only Policy_source_ip: 10.222.21.10
Display the upgrade history	show upgrade history
Display the appliance and module status	show appliance status show <module> If expected system services are not running, restart the module that hosts the services. restart <module>
Display network interface settings	show interface info If you have bonded interfaces, note that the names used to indicate the type of bonding have changed. For example, load-balancing is now balance-rr.
Check and synchronize the system time, if necessary	show system ntp show system clock show system timezone If the clock is off and NTP is configured, sync with: sync system ntp Otherwise, to sync when the time is set manually, see "System time and time synchronization with Forcepoint servers" in Forcepoint Appliances Getting Started.
Configure size and frequency values for archiving commands	set log archive
Check SNMP polling and alerting settings (if you integrate with a SIEM or SNMP server)	show snmp config show trap config show trap events These commands are not supported in Forcepoint Email Security in Azure.