cancel
Showing results for 
Search instead for 
Did you mean: 
yadda
Level 7
Report Inappropriate Content
Message 1 of 4

Upgrading Extensions leads to default policy?

Jump to solution

Upgrading  extensions for McAfee Firewall in our environment (ePO 5.9.1).

Once the extension was installed, agents checking in got the default policy (Firewall Enabled), instead of our default policy of (Firewall disabled). This resulted in an outage for several critical areas.

Checked the policy catalog and the policies we defined were no longer present.

We were able to recover them from our test environment, however it appears that the behavior of the extension upgrade path is to remove the previous extension (and associated policies).

Discussing with other ePO Admins locally, this lesson has been learned by many the hard way with upgrading extensions for DLP, ENS/VSE, etc.

It may be helpful to new ePO admins to include an automated process to back up if extension is being upgraded, a button for backup of existing policies, or at least a notification to manually back up policies from the Install extensions from page/dialogue. 

1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Upgrading Extensions leads to default policy?

Jump to solution

It is not supposed to remove all existing policies, only upgrade everything that is there.  So if they were removed, there was a failure somewhere in the install, which the hips team would need to investigate since it is their extension. 

One thing that can help when upgrading extensions is to follow some best practices to ensure clients don't inadvertently get wrong policies.

1. Stop apache service only (epo server service) on epp server and all agent handlers if any.  This prevents clients from getting any policy changes.

2. In server settings, policy and task retension, ensure that is enabled to retain policies and tasks if an extension is removed

3. Export current policies and their assignments - it is always good to have those as a backup periodically

3. Have a current backup of your file system and database.

4. Once it is installed, validate policies and assignments before turning back on apache.

Extension upgrades may sound like a simple thing, but if things go wrong, it is not a good thing to have to mitigate the damage to policy assignments, etc. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

3 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Upgrading Extensions leads to default policy?

Jump to solution

It is not supposed to remove all existing policies, only upgrade everything that is there.  So if they were removed, there was a failure somewhere in the install, which the hips team would need to investigate since it is their extension. 

One thing that can help when upgrading extensions is to follow some best practices to ensure clients don't inadvertently get wrong policies.

1. Stop apache service only (epo server service) on epp server and all agent handlers if any.  This prevents clients from getting any policy changes.

2. In server settings, policy and task retension, ensure that is enabled to retain policies and tasks if an extension is removed

3. Export current policies and their assignments - it is always good to have those as a backup periodically

3. Have a current backup of your file system and database.

4. Once it is installed, validate policies and assignments before turning back on apache.

Extension upgrades may sound like a simple thing, but if things go wrong, it is not a good thing to have to mitigate the damage to policy assignments, etc. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

yadda
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Upgrading Extensions leads to default policy?

Jump to solution

Thanks for the quick reply cdinet

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Upgrading Extensions leads to default policy?

Jump to solution

Glad to help!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community