Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1054 Views 4 Replies Latest reply: Mar 26, 2013 11:52 AM by hschupp RSS
Travler The Place at McAfee Member 255 posts since
Mar 28, 2008
Currently Being Moderated

Mar 6, 2013 8:16 AM

Upgrade plan

I am currently running the following with the Manager on an old physical server:

Manager = 5.1.17.7

I-2700 Sensor = 5.1.5.217

 

I'm planning an upgrade and have built a new virtual server and installed:

Manager = 7.1.3.5

 

I'm now ready to shut down the old Manager server, then import the I-2700 Sensor into the new Manager, after which I'll upgrade the Sensor to  7.1.1.1.

 

Does anyone see a problem with this scenario?

 

TIA


ePO 4.6.6 (Build: 176)
MA 4.8.0.1500

VSE 8.8.0.975, 5400 Engine (2600+ systems)
EE Agent 7.0.3.413
EEPC 7.0.3.413
Intrushield 5.1.17.7
I-2700 Sensor 5.1.5.217

MWG 7.3.2.8.0 (17286)
MWR 5.2 (Build: 1086)
MFE 8.3.2 Patch2
  • sandwind Newcomer 8 posts since
    May 12, 2011
    Currently Being Moderated
    1. Mar 11, 2013 11:27 PM (in response to Travler)
    Re: Upgrade plan

    Normally it should work.  Still be ready to go back to old config if something will go wrong.

  • hschupp Newcomer 20 posts since
    Dec 11, 2008
    Currently Being Moderated
    2. Mar 26, 2013 10:11 AM (in response to Travler)
    Re: Upgrade plan

    I agree with Sandwind.  This should work as you have described it.

     

    Verifications to make ahead of time:

     

    If there is a firewall between the NSM and the new Server you need to ensure that the NSM-Sensor communication ACLs are in place first.  This includes checking the NSM local firewall/HIPS rules. 

     

    PortDescriptionComments

    8500

    &

    4167

    Command Channel (UDP)

    NSM src 4167 to 8500 listening on sensor

    Sensor src 8500 to 4167 listening on NSM

    Manager/Sensor Communication
    8501Install port (TCP)

    Sensor to Manager Communication

    8502Alert Channel (Control Channel) (TCP)

    Sensor to Manager Communication

    8503Packet Log Channel (TCP)

    Sensor to Manager Communication

    8504File Transfer Channel (TCP)

    Sensor to Manager Communication

     

    When ready to move the sensor go to the CLI and type 'deinstall'

    Once the channels are down you can tell it where the new NSM is:  set manager ip 10.10.10.10

    Now add the sensor to the Device list on the new NSM and create the sharedsecret key there.

    Once done you can go back to the sensor and join it to the new NSM:  set sensor sharedsecretkey

     

    If there are any problems with the sensor joining the new server you can load wireshark on the NSM server and filter for this sensor ip.  (filter format: ip.addr==sensorip).

    Verify that the communications are happening correctly.

     

    Note.. the sensor will join the new NSM but it WILL NOT succeed in the initial sigset configuration download.  You can ignore this error.  As long as the sensor was able to join the NSM you can now download and push an upgrade to the 7.1.1.x version that is compatible with the I-2700.

     

    Your worst case scenario is that you might have to do a manual upgrade of the sensor to 7.1 before joining it to the NSM.  (text below is from KB 59403)

     

    To download a software image directly to the Sensor via a TFTP server, you must download the software from the McAfee website and place on the TFTP server to be used for the update.

     

    NOTE: Refer to the TFTP server documentation for specific instructions on how to place the Sensor software on the TFTP server.

    1. Download and place the Sensor software on the TFTP Server:

      1. Download the software image from the McAfee website to the TFTP server. This file is compressed in a .JAR file.

        To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.

        For instructions on downloading, see: KB56057.

        Ensure that you download the correct Sensor image for the Sensor model and the software version that is installed on the Manager, Sensor and Signatures.
         
      2. Extract the files from the .JAR file. To do this rename the file to a .zip extension if required and extract the contents.
      3. Save the image file to the /tftpboot directory.  (image file is the file inside the zip without an extension)
      4. After the image is on the TFTP server, upload the image from the TFTP server to the Sensor.
         
    2. Login to the the Sensor console and connect to the TFTP server:

      1. Log on to the Sensor. The default username is admin and the default password is admin123.
        NOTE: McAfee strongly recommends that you change the password.
      2. Specify the IP address of the TFTP server to identify it to the Sensor.
      3. At the prompt, type set tftpserver ip <ip address> and press ENTER.
        For example, set tftpserver ip 192.34.2.8.
         
    3. Load the image file on the Sensor:

      1. At the prompt, type loadimage <image name> and press ENTER.
        For example, loadimage SensorImage.
        You see a message after the image has been loaded.
      2. To use the new software image, you must reboot the Sensor. Type reboot and press ENTER. You must confirm that you want to reboot.
  • hschupp Newcomer 20 posts since
    Dec 11, 2008
    Currently Being Moderated
    4. Mar 26, 2013 11:52 AM (in response to Travler)
    Re: Upgrade plan

    Travler -

     

    That will work ok but you will still have to perform the deinstall/set sharedsecretkey process on the sensor.

    This is because the shared secret key that is generated on the new NSM -- despite naming it the same and/or re-ip-ing it the same -- will change.  I do not even know all the variables used on an NSM for generating that key but you will have to deinstall the sensor from the old NSM and then rejoin it to the new one.

     

    Fortunately this will not affect the sensor operation.. that part will not require the sensor to reboot and just breaking the trust to the old manager (deinstall command) will not stop the sensor from continuing to perform its function.

     

    It is not until you push the upgrade to the sensor that it will have to be rebooted.

     

    Hank

     

    Note:  IF you built the new server by installing 5.1.17.7 on it and restoring a backup of the production server to it and THEN upgraded it to 7.1.x.x then the sharedsecret of the production was carried with that restoration.  IF you just installed 7.1 fresh on the server then my instructions above are correct.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points