7 Replies Latest reply on Jun 4, 2012 4:34 PM by sliedl

    Tips for Upgrading to Sidewinder 7.01.02

    bragot

      Due to the upcoming End of Life of Sidewinder 7.0.0.07, we finally decided to upgrade to 7.01.02.  I've compiled a list of issues I learned from the upgrade that weren't documented in any of the readme's or Knowledge Base articles.  Hope this comes in helpful for anyone else who may be planning the same thing.

       

      1. If you're going to do a disaster recovery backup before the upgrade, be sure that you are NOT using a Sandisk U3 USB drive (This is documented in the KB)
      2. When upgrading to 7.01.02, it’s very picky aboutthe /etc/secureos/auditd.conf file.  All syslog entries must be deleted (not commented out) and you must place the following syntax at the end of the file preceeded by a white space:

        syslog_securityreporter[no]
      3. To troubleshoot upgrades, check the file install_output file located in either the /var/packages/status2 or /var/packages/status3 folder depending on which slice the update is being applied to.
      4. As of May 12, 2011, it's also recommended by support to apply 70102H15 and 70102H19. 
      5. After applying the 2 hotfixes, I received an SSL error when logging into the console.  To fix this, run the command cf daemond restart agent=acld from the CLI.

       

      Hope this helps all those upgrading!

        • 1. Re: Tips for Upgrading to Sidewinder 7.01.02
          sliedl

          Excellent advice, thanks for posting!

           

          For number 2, you can also run "cp  /usr/share/skel/auditd.conf  /secureos/etc/auditd.conf" to copy the 'skeleton' auditd.conf file (the default one) over your current file.  Remember though: if you've edited auditd.conf and put in some kind of filter for sending only specific audits to your syslog server, you'll want to save this file.  Just do a "cp  /secureos/etc/auditd.conf  /home/username/" to copy the file to your home directory.

           

          For number 3, run "mount".  Look at the first line; it will say /dev/---s#a, where it's either s2a or s3a, indicating the current 'slice' you're on right now.  The firewall installs software to the opposite slice it's running on, so if it says s2a, look in /var/packages/status3/install_output for errors, or ../status2/install_output if it says s3a there.  The exact same procedure holds true if you're upgrading from 70102 to v8 (and this procedure is in the 7-to-8 upgrade guide, page 15).

           

          Thanks once again.

          • 2. Re: Tips for Upgrading to Sidewinder 7.01.02
            oreeh

            My tip for upgrading from any version to any version:

             

            do a "maual" upgrade (using "cf ... q > file" and "cf -f ...") whenever possible.

            I yet have to stumble upon an upgrade script that works flawlessly (the worst is the 8.1.1. upgrade patch).

             

            on 5/16/11 6:26:12 PM CEST
            • 3. Re: Tips for Upgrading to Sidewinder 7.01.02
              sliedl

              You can do this for the 'ipaddr' objects, and the 'host' objects, things like that, but this will not work for your rules, i.e. 'cf policy q', as the rule structure has changed.  You can basically import most of your "objects" (not your services though), but you cannot import your rules like this.

              • 4. Re: Tips for Upgrading to Sidewinder 7.01.02
                oreeh

                Of course you have to convert the rules ... but that isn't too hard using Perl or shell scripts.

                • 5. Re: Tips for Upgrading to Sidewinder 7.01.02
                  infosecjeff

                  Do you have a working shell script I could borrow for converting the v7 rules to v8 rules?

                  • 6. Re: Tips for Upgrading to Sidewinder 7.01.02
                    PhilM

                    I have to agree that some of the earlier v8 upgrade processes left something to be desired. Despite creating a number of seemingly duplicate application defenses, the 7.0.1.03 to v8.1.2 upgrade process seems to be an improvement. I haven't performed any myself yet, but this is what I've been told by a colleague.

                     

                    Phil.

                    • 7. Re: Tips for Upgrading to Sidewinder 7.01.02
                      sliedl

                      There is no shell script for upgrading from 7 to 8.  It's a very complicated process internally.  The upgrade script is the only way to upgrade (other than plug and chug and type it all in at 8, which would actually help you learn 8 more and might help you clean up your policy).

                       

                      I wrote this KB last week:  How to upgrade a firewall from 7.0.0 to 7.0.1 and from 7.0.1 to 8.x.  It's not in-depth, but it gives you the general gist of what you have to do.

                       

                      Upgrade to 7.0.1.03.  Install 70103UP812.  Disconnect from the GUI and reconnect and then load and install 8.1.1 and 8.1.2.  The firewall reboots and it's at 8.1.2.  If you don't like it, reboot the firewall and choose 'Alternate System' and now you'll be back at 70103.  If you are using the 8.1.2 'slice' and you install patches 8.2.0 and 8.2.1 you lose your 70103 'slice' though, keep that in mind.