My organization is running a pair of ESM units (version 9.6.1 MR1) in a primary-redundant relationship. I intend to upgrade to MR2 next week.
As the admin I have upgraded many times previously with this config and my organization has just "taken the hit" with a service disruption by first upgrading the primary ESM, then receivers, corr engines, ELMs and finally the redundant ESM.
I would prefer to perform the upgrade in such a way that we maintain near-continuous availability of the ESM functionality through the upgrade process - management has suggested this should be a priority as the ESM upgrade itself requires 2-3 hours with the attendant loss of visibility to any significant series of events, fallback is manual monitoring of individual security tools in the environment which is naturally far less effective.
If anyone knows of how to upgrade the ESM units in a way that there is always one active and processing events from the receivers (also HA) plus feeding the correlation engine I would greatly appreciate if you could outline the process.
Thank you for your response. I'm not sure which document you are suggesting that I refer to for the FIPS upgrade steps, I located the following info in "Release Notes McAfee Enterprise Security Manager 9.6.0" / sm_960_rn_en-us-rev-a.pdf
1 Upgrade the ELM or ELMERC.
2 Upgrade Nitro IPS, Event Receiver, ACE, DEM, and ADM.
3 Upgrade the ESM, ESMREC, or ENMELM. You can begin when all device upgrades start.
Failure to upgrade the devices before upgrading the ESM when in FIPS mode can affect ELM log collection.
I am looking for a process which actually connects the receivers, ELM units and correlation engine to the redundant ESM for the duration of the upgrade of the primary, followed by reconnecting them back to the primary to upgrade the redundant. The FIPS related information that I have found to date does not cover such a scenario.
In that case, you can promote redundant ESM to be primary. Once done, remove redundant ESM setting in ESM, then carry on upgrade. But this will actually take longer, where you have to do sync and potentially full sync...
Just got a response back from McAfee support... apparently the official line is that the redundant ESM cannot be used in the way you suggest, which I stress does not mean that it will not work. Probably the biggest hurdles are if the master -- replicant sync somehow does not work, as well as increasing the upgrade time as you pointed out.
I'm not concerned about increasing the upgrade time as the loss of ESM availability is of greater importance... the promotion of redundant and upgrade of the "usual" primary could be done a full day prior to the bulk of the upgrade (receivers, ELM etc.), at which time the usual primary would in fact become defined as the redundant.
The next day you'd then confirm sync of the redundant (aka usual primary) is completed prior to the real upgrade (receivers, ELM, etc), at which time it would be re-promoted to it's normal role as primary and the upgrade process would go in a relatively normal fashion.
Anyone reading this who believes that the ESM upgrade process should be able to effectively make use of the expensive redundant ESM that your organization has purchased (or is considering purchasing) should be much easier, properly documented and fully supported please go vote for this as an enhancement here:
Thanks & Regards, SJ.