Upgrade instructions

Once you have completed the activities outlined in Upgrade preparation, you can proceed with the product upgrade. This section provides instructions for performing an upgrade of an email security system deployment.


	Important If your network includes a Forcepoint web security solution, you must upgrade the Policy Broker/Policy Server machine first, whether or not these components reside on an appliance. Other Forcepoint services located on the Policy Broker/Policy Server machine should be upgraded at the same time. See Upgrade Instructions for Forcepoint Web Security.

This section provides a description of an email system upgrade to the following components:

Email Log Server (Upgrade the Email Log Server)

Forcepoint Security Manager Email Security Module (Upgrade the Forcepoint Security Manager Email Security Module)

Forcepoint Appliances (Upgrade or migrate Forcepoint Appliances)


	Important When the upgrade is applied, the original file system is preserved. Should the upgrade procedure encounter a fatal error, the original file system is restored. Off-appliance components may need to be restarted.

Upgrade the Email Log Server

If the Email Log Server is installed on a separate machine from the Forcepoint Security Manager, upgrade the Email Log Server using the Forcepoint Security Installer from the Forcepoint My Account downloads page.

If the Email Log Server is installed on the same machine as the Forcepoint Security Manager, it is included in the upgrade process described in Upgrade the Forcepoint Security Manager Email Security Module.


	Important If you are upgrading multiple Log Servers, perform the upgrades one at a time to avoid possible upgrade process errors.

Download the Forcepoint Security Installer from the Forcepoint My Account downloads page.

Run the installer and follow the installation wizard instructions for Log Server.

The installer does not allow you to change existing configuration settings. Changes must be made after the upgrade.

The upgrade installer stops the Email Log Server service, updates the Email Log Server and the Email Log Database, and then restarts the Email Log Server service.

Upgrade the Forcepoint Security Manager Email Security Module

Use the Forcepoint Security Installer from the Forcepoint My Account downloads page. The upgrade process includes Forcepoint DLP and the Email Log Server if it is installed on the Security Manager machine.

If you are planning to deploy both Forcepoint Email Security and Forcepoint Security Manager in Azure, this procedure is necessary to first upgrade Forcepoint Security Manager to version 8.5.3.

Download the Forcepoint Security Installer from the Forcepoint My Account downloads page.

Run the installer and ensure that Forcepoint Email Security and Forcepoint DLP are selected for upgrade.

The upgrade process includes Forcepoint DLP and the Email Log Server if it is installed on the Security Manager machine.

Follow the installation wizard instructions.

The Data Security module upgrade occurs after the Forcepoint Management Infrastructure upgrade. The Email Security module upgrade follows the Data Security module.

The upgrade installer Configuration page shows the IP address of the database engine that manages the Email Log Database and logon type. If you have changed the database since your previous installation or upgrade, use this page to change these settings.

The upgrade script stops the Email Security module service, updates the Email SQL Server databases (and Log Server if found), and then restarts the Email Security module service.


	Note The Security Manager Email Security module is not available until after the Security Manager upgrade completes.

Upgrade or migrate Forcepoint Appliances

Appliance services are not available while the upgrade is being applied; email traffic should not be directed through appliances during the upgrade process. Disruption continues until the appliance completes its final restart. It is a best practice to perform the upgrade at a time when service demand is low.


	Important If you are running appliances in a cluster, you must release all appliances from the cluster before performing an upgrade or a migration. Upgrade or migrate each appliance as needed, and then rebuild your cluster after the process is complete.

X Series

For the X Series hardware appliance, see the Forcepoint X Series upgrade guide for upgrade instructions and command options on this platform.

If you are running an X10G security blade version 8.0.x, you must upgrade to version 8.3 before you upgrade to version 8.5.x. You cannot upgrade directly to version 8.5.x from version 8.0.x.

V Series

For the V Series hardware appliance, see the Forcepoint V Series Appliance upgrade guide for complete upgrade instructions and command options.


	Note Dual security mode V Series appliances are not supported in version 8.3 and later. If you are upgrading a V Series appliance from a version earlier than 8.3, we recommend that you migrate the Email Security module off the dual-mode appliance to a new version 8.5.x appliance. See V Series Dual-Mode Appliance Upgrade Guide for details on upgrading a dual-mode (Web and Email) appliance.

The version 8.3 and later V Series appliance introduced a command-line interface (CLI) to replace the Appliance Manager. For an introduction to the CLI, see the Forcepoint Appliances CLI Guide.

The V Series appliance upgrade process includes a check for:

Adequate disk space for Forcepoint Email Security (at least 8 GB required)

Cached message log file size (cannot exceed 10 MB)

A backup and restore function to save existing appliance configuration settings is also included. You are prompted to contact Technical Support if any configuration file is missing.

When upgrading V Series appliances configured in a cluster, you must upgrade the primary box first, followed by all its secondary machines, one at a time.


	Note You may need to restart the appliance if you cannot establish an ssh connection after the upgrade is complete.

Virtual appliance

The Forcepoint Email Security virtual appliance platform was re-architected at version 8.3. As a result, email security system data and email messages that reside on a pre-version 8.3 virtual appliance must be migrated off that appliance when you upgrade to a new version. The migration is accomplished via a command-line interface (CLI) migrate command performed on the version 8.5.x appliance.

Migration is necessary when upgrading any version of Forcepoint Email Security to Forcepoint Email Security in Azure. See Migrate to version 8.5.x.


	Important Direct upgrade from a version 8.3 appliance to version 8.5.x is available only if you deployed from the OVA file released on June 2, 2017. If you deployed from the OVA file released on December 19, 2016, you must use the migration process described in the following section to upgrade to version 8.5.x.

Upgrade to version 8.5.x

Use the following steps to upgrade directly to version 8.5.x.

Download the v8.5.x Forcepoint Security Installer from the Forcepoint My Account downloads page and save it to a location from which it is easy to copy it to Windows servers hosting Forcepoint web, email, and data components, such as Forcepoint Security Manager (formerly TRITON Manager) and Log Server.

Perform Upgrade preparation.

Skip to Step 4 if your deployment does not include Forcepoint Web Security.

If your deployment includes Forcepoint Web Security, upgrade the policy source machine (Policy Broker/Policy Database) before upgrading web protection components on your security blades. If the Full policy source machine is an X10G, upgrade that blade first. After upgrading the policy source machine, confirm that Policy Broker and Policy Database services are running.

All Forcepoint components on the Full policy source machine are upgraded when Policy Broker/Policy Database are upgraded.

In all instances, you must upgrade Forcepoint Web Security components in the following order:

Full policy source

Upon completion, confirm that Policy Broker and Policy Database services are running. See Upgrading Web Protection Solutions.

User directory and filtering (sometimes called policy lite) blades and non-appliance servers that host Policy Server

Filtering only blades, and non-appliance servers that host Filtering Service

Off-appliance servers hosting other web protection components (like Log Server or Logon Agent)

Successful upgrade of User directory and filtering and Filtering only appliances requires connectivity with the Policy Broker and Policy Database services.

If the appliance is registered in Forcepoint Security Manager, navigate to Appliances > Manage Appliance and unregister the appliance.

Re-registration is a post-upgrade activity.

If the appliance is a User directory and filtering appliance, unregister the appliance. In the Web module of Forcepoint Security Manager, navigate to Settings > General > Policy Servers and unregister the appliance.

Using the CLI, download and apply the v8.5.x upgrade:

Download the upgrade file.

load upgrade

Install the upgrade.

install upgrade

Select the v8.5.x upgrade file from the list.

When prompted, confirm to continue, then accept the subscription agreement.

The upgrade performs several system checks. The checks may take several minutes.

When installation is complete, the appliance automatically restarts.

If the upgrade fails, the blade server automatically rolls back to the prior version. If the source of the failure is not obvious or cannot be easily address, contact Forcepoint Technical Support.

If an error message displays indicating that ISO verification has failed, repeat the command with the following parameter added:

--force <iso_file_name>

If installation seems to stop, allow the process to run for at least 90 minutes. If installation has not completed in that time, contact Forcepoint Technical Support.

Perform Post-upgrade activities.

Return to Step 5 and upgrade remaining appliances.

Upgrade the management server (if not upgraded when Policy Broker/Policy Database were upgraded), and other servers that host Forcepoint components. See Upgrading Forcepoint Security Solutions to v8.5.x.

Migrate to version 8.5.x

Consider the following issues before you initiate your virtual or Azure appliance migration process:

Ensure that your source and destination appliances in the migration are configured in the same subnet. If they are not, the migration process may complete, but the new appliance interfaces are not correctly updated.

You may need to reconfigure some network settings for the migration process. The version 8.3 and later virtual appliance supports three network interfaces: C, P1, and P2. In the migration, the C interface retains the setting you assigned it during firstboot. The P1 and P2 interfaces (eth0 and eth1) inherit the settings of P1 and P2 when migrating from a V5000, or the E1 and E2 settings when migrating from a V10000.

Forcepoint Email Security in Azure supports only the C interface.

Dynamic Host Configuration Protocol (DHCP) is not supported in version 8.3 and later. If your existing appliance has DHCP enabled, those network settings are not migrated. You must configure static network interface IP addresses for your appliance.

Calculate the disk space used on your existing appliance and ensure that the new appliance has adequate disk space for all data you wish to migrate.

Use the following steps to migrate data and email messages to a version 8.5.x appliance.

Install a new version 8.5.x appliance.

The VMware virtual machine requires ESXi version 6.0 or later. See the topic titled Virtual Appliance Setup in the Forcepoint Appliances Getting Started Guide for detailed instructions for downloading and creating a virtual machine.

If you are migrating to an Azure deployment, skip to Step 4. See Installing Forcepoint Email Security in Microsoft Azure.

On the source appliance, open a default port for your installation:

On-premises: port 22

Azure: port 22222

On the new appliance (version 8.5.x), run the firstboot wizard to select appliance security mode (email), enter appliance management settings (e.g., C interface IP address, hostname, DNS server IP addresses), and define some basic configuration settings (e.g., hostname, administrator password, system time zone). This step is not applicable in Azure.

See the topic titled Firstboot Wizard in the Forcepoint Appliances Getting Started Guide for detailed firstboot instructions.


	Note The source appliance hostname is not migrated to the destination appliance. The destination appliance uses the hostname set during firstboot, and then the upgrade process adds "-esg" to the end of the name.

Log on to the new version 8.5.x appliance CLI and elevate to config mode.

If you are migrating to an Azure deployment, skip to Step 6.

Set the appliance P1 interface using the set interface ipv4 command with the following syntax:

set interface ipv4 --interface p1 --ip <ipv4_address> [--mask <ipv4_netmask>] --gateway <ipv4_address>

Setting this interface now can facilitate the migration process in the event that your current P1 interface is a virtual IP address, which will not be migrated.

The P1 interface you configure in the CLI is displayed as "E1" in the Forcepoint Security Manager. This step is not applicable in Azure.


	Note If you use a client interface like PuTTY to connect to the appliance, configure a longer connection session to accommodate a slightly lengthy migration process. For example, in the PuTTY configuration interface, select the Connection category. Enter 30 in the Seconds between keepalives (0 to turn off) entry field.

Download the appropriate hotfix for your source virtual appliance version from the Forcepoint My Account Downloads page.

Version 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, or 8.5.3 on-premises: Hotfix 300

Version 8.3, 8.5.0, or 8.5.3 in Azure: Hotfix 301

Contact Forcepoint Technical Support for assistance to apply the hotfix to your previous version appliance.

See the ReadMe file packaged with the hotfix for more information about hotfix contents.

In the version 8.5.x appliance CLI, ensure you are still in config mode and then log in to the email module:

You may perform the migration using the migrate CLI command on the version 8.5.x appliance with one of two options: interactive or silent.

Interactive mode is a step-by-step process that requires user input during the process.

The following displays an example of the interactive mode command:

Interactive mode requires the following information to be entered:

Source appliance (pre-version 8.5.x) IP address.

Confirmation for the start of the migration.

Selection of a mode option; Azure or On-Premises.

Select Azure if you are migrating to a version 8.5.x Azure appliance.

Select On-Premises if you are migrating to a version 8.5.x on-premises appliance.

The following displays the selection of On-Premises to migrate to an 8.5.x on-premises appliance:

Selection of a transfer option.

If you migrate email message queues in addition to configuration settings, be aware that the transfer of large-volume queues may take a few hours to complete. The following image displays an example of the CLI for this section:

Silent mode requires the following information to be entered:

Source appliance (pre-version 8.5.x) IP address.

Migration mode; Azure or On-Premises.

Subscription key.

The subscription key is only required when the migration mode is Azure.

The second transfer option is automatically selected for silent mode, and the migration runs without the need for subsequent user input.

The following image displays an example of the CLI for silent mode:


	Important You must use your existing TRITON Manager or Forcepoint Security Manager Windows machine. Use of a newly installed TRITON Manager or Forcepoint Security Manager for an upgrade is not currently supported.

Consider the following after you perform your virtual appliance migration process:

If you have an email DLP policy configured to use a TRITON AP-DATA or Forcepoint DLP quarantine action, and the Release Gateway on the page Settings > General > Remediation is set to Use the gateway that detected the incident, you should change the Release Gateway to the IP address of your new appliance. Otherwise, when a Data Security module administrator releases a pre-migration quarantined message, an "Unable to release incident" error is generated.

Virtual IP address settings in filter actions are not retained after an appliance migration. You need to reconfigure virtual IP address settings manually.


	Important Please contact Technical Support if Forcepoint personnel have customized your appliance iptables settings. These customizations are not preserved by the migration process.