cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Travler
Level 10
Report Inappropriate Content
Message 1 of 5

Upgrade plan

I am currently running the following with the Manager on an old physical server:

Manager = 5.1.17.7

I-2700 Sensor = 5.1.5.217

I'm planning an upgrade and have built a new virtual server and installed:

Manager = 7.1.3.5

I'm now ready to shut down the old Manager server, then import the I-2700 Sensor into the new Manager, after which I'll upgrade the Sensor to  7.1.1.1.

Does anyone see a problem with this scenario?

TIA

4 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 5

Re: Upgrade plan

Normally it should work.  Still be ready to go back to old config if something will go wrong.

hschupp
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Upgrade plan

I agree with Sandwind.  This should work as you have described it.

Verifications to make ahead of time:

If there is a firewall between the NSM and the new Server you need to ensure that the NSM-Sensor communication ACLs are in place first.  This includes checking the NSM local firewall/HIPS rules. 

PortDescriptionComments

8500

&

4167

Command Channel (UDP)

NSM src 4167 to 8500 listening on sensor

Sensor src 8500 to 4167 listening on NSM

Manager/Sensor Communication
8501Install port (TCP)

Sensor to Manager Communication

8502Alert Channel (Control Channel) (TCP)

Sensor to Manager Communication

8503Packet Log Channel (TCP)

Sensor to Manager Communication

8504File Transfer Channel (TCP)

Sensor to Manager Communication

When ready to move the sensor go to the CLI and type 'deinstall'

Once the channels are down you can tell it where the new NSM is:  set manager ip 10.10.10.10

Now add the sensor to the Device list on the new NSM and create the sharedsecret key there.

Once done you can go back to the sensor and join it to the new NSM:  set sensor sharedsecretkey

If there are any problems with the sensor joining the new server you can load wireshark on the NSM server and filter for this sensor ip.  (filter format: ip.addr==sensorip).

Verify that the communications are happening correctly.

Note.. the sensor will join the new NSM but it WILL NOT succeed in the initial sigset configuration download.  You can ignore this error.  As long as the sensor was able to join the NSM you can now download and push an upgrade to the 7.1.1.x version that is compatible with the I-2700.

Your worst case scenario is that you might have to do a manual upgrade of the sensor to 7.1 before joining it to the NSM.  (text below is from KB 59403)

To download a software image directly to the Sensor via a TFTP server, you must download the software from the McAfee website and place on the TFTP server to be used for the update.

NOTE: Refer to the TFTP server documentation for specific instructions on how to place the Sensor software on the TFTP server.

  1. Download and place the Sensor software on the TFTP Server:

    1. Download the software image from the McAfee website to the TFTP server. This file is compressed in a .JAR file.

      To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.

      For instructions on downloading, see: KB56057.

      Ensure that you download the correct Sensor image for the Sensor model and the software version that is installed on the Manager, Sensor and Signatures.
       
    2. Extract the files from the .JAR file. To do this rename the file to a .zip extension if required and extract the contents.
    3. Save the image file to the /tftpboot directory.  (image file is the file inside the zip without an extension)
    4. After the image is on the TFTP server, upload the image from the TFTP server to the Sensor.
       
  2. Login to the the Sensor console and connect to the TFTP server:

    1. Log on to the Sensor. The default username is admin and the default password is admin123.
      NOTE: McAfee strongly recommends that you change the password.
    2. Specify the IP address of the TFTP server to identify it to the Sensor.
    3. At the prompt, type set tftpserver ip <ip address> and press ENTER.
      For example, set tftpserver ip 192.34.2.8.
       
  3. Load the image file on the Sensor:

    1. At the prompt, type loadimage <image name> and press ENTER.
      For example, loadimage SensorImage.
      You see a message after the image has been loaded.
    2. To use the new software image, you must reboot the Sensor. Type reboot and press ENTER. You must confirm that you want to reboot.
Henry "Hank" Schupp
Travler
Level 10
Report Inappropriate Content
Message 4 of 5

Re: Upgrade plan

Thanks for the in-depth information!

I have a question, though.  You wrote:

Once the channels are down you can tell it where the new NSM is: set manager ip 10.10.10.10

Since I'm reusing the Manager's IP (by shutting down the old Manager then re-IPing the new Manager) and using the same secret key, I was hoping that the Sensor wouldn't need to be reconfigured.  Is this not the case?

hschupp
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Upgrade plan

Travler -

That will work ok but you will still have to perform the deinstall/set sharedsecretkey process on the sensor.

This is because the shared secret key that is generated on the new NSM -- despite naming it the same and/or re-ip-ing it the same -- will change.  I do not even know all the variables used on an NSM for generating that key but you will have to deinstall the sensor from the old NSM and then rejoin it to the new one.

Fortunately this will not affect the sensor operation.. that part will not require the sensor to reboot and just breaking the trust to the old manager (deinstall command) will not stop the sensor from continuing to perform its function.

It is not until you push the upgrade to the sensor that it will have to be rebooted.

Hank

Note:  IF you built the new server by installing 5.1.17.7 on it and restoring a backup of the production server to it and THEN upgraded it to 7.1.x.x then the sharedsecret of the production was carried with that restoration.  IF you just installed 7.1 fresh on the server then my instructions above are correct.

Henry "Hank" Schupp
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community