4 Replies Latest reply: Mar 26, 2013 11:52 AM by hschupp RSS

    Upgrade plan


      I am currently running the following with the Manager on an old physical server:

      Manager =

      I-2700 Sensor =


      I'm planning an upgrade and have built a new virtual server and installed:

      Manager =


      I'm now ready to shut down the old Manager server, then import the I-2700 Sensor into the new Manager, after which I'll upgrade the Sensor to


      Does anyone see a problem with this scenario?



        • 1. Re: Upgrade plan

          Normally it should work.  Still be ready to go back to old config if something will go wrong.

          • 2. Re: Upgrade plan

            I agree with Sandwind.  This should work as you have described it.


            Verifications to make ahead of time:


            If there is a firewall between the NSM and the new Server you need to ensure that the NSM-Sensor communication ACLs are in place first.  This includes checking the NSM local firewall/HIPS rules. 






            Command Channel (UDP)

            NSM src 4167 to 8500 listening on sensor

            Sensor src 8500 to 4167 listening on NSM

            Manager/Sensor Communication
            8501Install port (TCP)

            Sensor to Manager Communication

            8502Alert Channel (Control Channel) (TCP)

            Sensor to Manager Communication

            8503Packet Log Channel (TCP)

            Sensor to Manager Communication

            8504File Transfer Channel (TCP)

            Sensor to Manager Communication


            When ready to move the sensor go to the CLI and type 'deinstall'

            Once the channels are down you can tell it where the new NSM is:  set manager ip

            Now add the sensor to the Device list on the new NSM and create the sharedsecret key there.

            Once done you can go back to the sensor and join it to the new NSM:  set sensor sharedsecretkey


            If there are any problems with the sensor joining the new server you can load wireshark on the NSM server and filter for this sensor ip.  (filter format: ip.addr==sensorip).

            Verify that the communications are happening correctly.


            Note.. the sensor will join the new NSM but it WILL NOT succeed in the initial sigset configuration download.  You can ignore this error.  As long as the sensor was able to join the NSM you can now download and push an upgrade to the 7.1.1.x version that is compatible with the I-2700.


            Your worst case scenario is that you might have to do a manual upgrade of the sensor to 7.1 before joining it to the NSM.  (text below is from KB 59403)


            To download a software image directly to the Sensor via a TFTP server, you must download the software from the McAfee website and place on the TFTP server to be used for the update.


            NOTE: Refer to the TFTP server documentation for specific instructions on how to place the Sensor software on the TFTP server.

            1. Download and place the Sensor software on the TFTP Server:

              1. Download the software image from the McAfee website to the TFTP server. This file is compressed in a .JAR file.

                To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.

                For instructions on downloading, see: KB56057.

                Ensure that you download the correct Sensor image for the Sensor model and the software version that is installed on the Manager, Sensor and Signatures.
              2. Extract the files from the .JAR file. To do this rename the file to a .zip extension if required and extract the contents.
              3. Save the image file to the /tftpboot directory.  (image file is the file inside the zip without an extension)
              4. After the image is on the TFTP server, upload the image from the TFTP server to the Sensor.
            2. Login to the the Sensor console and connect to the TFTP server:

              1. Log on to the Sensor. The default username is admin and the default password is admin123.
                NOTE: McAfee strongly recommends that you change the password.
              2. Specify the IP address of the TFTP server to identify it to the Sensor.
              3. At the prompt, type set tftpserver ip <ip address> and press ENTER.
                For example, set tftpserver ip
            3. Load the image file on the Sensor:

              1. At the prompt, type loadimage <image name> and press ENTER.
                For example, loadimage SensorImage.
                You see a message after the image has been loaded.
              2. To use the new software image, you must reboot the Sensor. Type reboot and press ENTER. You must confirm that you want to reboot.
            • 3. Re: Upgrade plan

              Thanks for the in-depth information!


              I have a question, though.  You wrote:

              Once the channels are down you can tell it where the new NSM is: set manager ip

              Since I'm reusing the Manager's IP (by shutting down the old Manager then re-IPing the new Manager) and using the same secret key, I was hoping that the Sensor wouldn't need to be reconfigured.  Is this not the case?

              • 4. Re: Upgrade plan

                Travler -


                That will work ok but you will still have to perform the deinstall/set sharedsecretkey process on the sensor.

                This is because the shared secret key that is generated on the new NSM -- despite naming it the same and/or re-ip-ing it the same -- will change.  I do not even know all the variables used on an NSM for generating that key but you will have to deinstall the sensor from the old NSM and then rejoin it to the new one.


                Fortunately this will not affect the sensor operation.. that part will not require the sensor to reboot and just breaking the trust to the old manager (deinstall command) will not stop the sensor from continuing to perform its function.


                It is not until you push the upgrade to the sensor that it will have to be rebooted.




                Note:  IF you built the new server by installing on it and restoring a backup of the production server to it and THEN upgraded it to 7.1.x.x then the sharedsecret of the production was carried with that restoration.  IF you just installed 7.1 fresh on the server then my instructions above are correct.