McAfee M-1250, Network Security Platform 6.1 Upgrade Manual
Upgrade Guide
McAfee® Network Security Platform 6.1
COPYRIGHT
Copyright © 2011 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by
any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),
MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered
trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of
McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee® Network Security Platform 6.1 Upgrade Guide
Contents
1 Preface 5
About this guide ..................................5
Finding product documentation ............................6
1 Overview 7
2 Managing a Heterogeneous Environment 9
What are heterogeneous environments .........................9
When would you need a heterogeneous environment? ...................10
Upgrade paths to a heterogeneous environment .....................10
Feature-support matrix for heterogeneous environments ..................18
3 Upgrading the Central Manager 23
Reviewing the upgrade requirements ..........................23
Preparing for the upgrade ..............................24
Central Manager and OS upgrade ...........................26
MDR Central Manager upgrade ............................27
Stand-alone Central Manager upgrade .........................28
Audience ..................................5
Conventions .................................5
Sample Scenarios .............................. 11
Minimum required Central Manager version ....................23
Central Manager system requirements ......................23
Central Manager license file requirement .....................24
Backing up Network Security Platform data ....................25
Reviewing the Upgrade Considerations ......................25
Approach 2: Using a new hardware .......................27
Upgrading the Signature Set for the Central Manager ................30
4 Upgrading the Manager 31
Reviewing the upgrade requirements ..........................31
Minimum required Manager version .......................31
Manager system requirements .........................31
Manager license file requirement ........................ 32
Preparing for the upgrade ..............................32
Reviewing the Upgrade Considerations ......................33
Backing up Network Security Platform data ....................35
MDR Manager upgrade ............................... 36
Manager and OS upgrade ..............................37
Approach 2: Using a new hardware .......................38
Stand-alone Manager upgrade ............................ 39
Running additional scripts ...........................40
5 Performing Signature Set and Sensor Software upgrade 43
Difference between an update and an upgrade ......................43
McAfee® Network Security Platform 6.1 Upgrade Guide
3
Contents
Sensor upgrade requirements .............................43
Reviewing the upgrade considerations .........................44
Updating Sensor software image ........................... 44
Sensor software upgrade: Manager vs. TFTP server .................46
Sensor Software and Signature Set Upgrade using Manager 6.0 ............46
Sensor software upgrade using a TFTP server ...................48
Updating Sensor software in a failover pair ....................50
6 Performing NTBA Appliance software upgrade 53
7 Information on downgrade 55
Index 57
4
McAfee® Network Security Platform 6.1 Upgrade Guide
Preface
Contents
About this guide
Finding product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses the following typographical conventions and icons.
Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold Text that is strongly emphasized.
User input or Path Commands and other text that the user types; the path of a folder or program.
Code
User interface
Hypertext blue A live link to a topic or to a website.
A code sample.
Words in the user interface including options, menus, buttons, and dialog
boxes.
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee® Network Security Platform 6.1 Upgrade Guide
5
Preface
Finding product documentation
Finding product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access... Do this...
User documentation
1
Click Product Documentation.
2
Select a product, then select a version.
3
Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
6
McAfee® Network Security Platform 6.1 Upgrade Guide
1
1
Overview
This guide provides information on how to upgrade your McAfee® Network Security Platform setup
[formerly McAfee® IntruShield® Network Intrusion Prevention System] from 5.1 or an earlier version of
6.0 to the latest 6.0 version. To upgrade to an earlier version of 6.0, also see the corresponding
Release Notes. The upgrade involves the following three phases that you need to complete in the
same order:
1
If applicable, McAfee® Network Security Central Manager upgrade
2
McAfee® Network Security Manager upgrade
3
McAfee® Network Security Sensor software upgrade
4
If applicable, Network Threat Behavior Analysis Appliance upgrade from an earlier 6.0 version to
the latest
As with any upgrade, McAfee strongly recommends that you always first try the upgrade on a test
environment.
You would need to refer to the following documents during the upgrade process:
• Manager Installation Guide
• Manager Server Configuration Guide
• Troubleshooting Guide
• Custom Attack Definitions Guide
• IPS Configuration Guide
• System Status Monitoring Guide
• Addendum II to 6.0 Documentation
An upgrade from 6.1 Beta to 6.0 is not supported. To use Network Security Platform 6.0 in your 6.1
Beta setup, uninstall 6.1 and then install 6.0.
McAfee® Network Security Platform 6.1 Upgrade Guide
7
1
Overview
8
McAfee® Network Security Platform 6.1 Upgrade Guide
Managing a Heterogeneous Environment
2
2
The latest 6.0 version of Network Security Platform, enables you to manage a heterogeneous
environment of Managers and Sensors. If you do not require to manage a heterogeneous
environment, you can skip this chapter. To know more about heterogeneous environments, see What
are heterogeneous environments.
Contents
What are heterogeneous environments
When would you need a heterogeneous environment?
Upgrade paths to a heterogeneous environment
Feature-support matrix for heterogeneous environments
What are heterogeneous environments
Typically, the Manager and the Sensors that it Managers are of the same major version. For example,
a 6.0 Manager manages Sensors running on Sensor software 6.0.x.x. Similarly, a Central Manager and
the corresponding Managers are all of the same major version. This document refers to these as
homogeneous environments.
This document refers to the following as heterogeneous environments:
• The Central Manager and the corresponding Managers are of different successive major versions.
For example, a 6.0 Central Manager manages 6.0 Managers and 5.1 Managers.
• The Manager and the corresponding Sensors are of different successive major versions. For
example, some Sensors are on 5.1.x.x and the rest are on 6.0.x.x, all managed by a 6.0 Manager.
McAfee® Network Security Platform 6.1 Upgrade Guide
9
2
Managing a Heterogeneous Environment
When would you need a heterogeneous environment?
Notes:
• A Manager must always be of the same or higher version than the corresponding Sensors.
Therefore, a 5.1 Manager managing 6.0 Sensors is not a valid scenario. Similarly, the Central
Manager must be of the same or higher version than the corresponding Managers.
• Heterogeneous environments are supported only across two successive major versions. For
example, a 6.0 Manager can manage Sensors on 5.1.x.x and 6.0.x.x but not Sensors on 4.1.x.x.
Similarly, Central Manager 6.0 can manage 6.0 and 5.1 Managers but not 4.1 Managers.
• In Network Security Platform 6.0, Central Managers and Managers support heterogeneous
environments only from version 6.0.7.x and above.
To use the information in this section, familiarize yourself with the following terms:
• Homogeneous Manager environment: The Central Manager and all the Managers are of the same
major version.
• Heterogeneous Manager environment: At least one Manager is of a lesser major version than the
Central Manager. For example, a 6.0 Central Manager that manages 6.0 and 5.1 Managers.
• Homogeneous Sensor environment: The Manager and all the Sensors are of the same major version.
• Heterogeneous Sensor environment: At least one Sensor is of a lesser major version than the
Manager. For example, a 6.0 Manager managing 5.1 and 6.0 Sensors. Recall that a 6.0 Manager
managing 4.1 Sensors is not a valid scenario.
When would you need a heterogeneous environment?
Support for managing a heterogeneous environment is typically for large deployments where upgrade
of the Managers or the Sensors happens in phases. Consider a deployment of over a hundred Sensors
that are on 5.1.x.x. As part of the upgrade process, you first upgrade the Manager as well as a few of
the Sensors to 6.0. However, you may still need to make configuration changes and manage the 5.1
Sensors using the upgraded 6.0 Manager. You may also want to add some new 5.1 Sensors to the
upgraded 6.0 Manager. These are possible with a Manager version that supports a heterogeneous
Sensor environment.
McAfee strongly advises that you use the heterogeneous support feature only as an interim
arrangement until you upgrade all your Managers and Sensors to the latest version. This enables you
to make use of the latest features in Network Security Platform. For example, in case of M-series
Sensors, the SSL Decryption feature is available only from 6.0.x.x. So, in your heterogeneous Sensor
environment, you can configure and manage the 5.1 and 6.0 M-series Sensors alike but only the 6.0
M-series Sensors can decrypt SSL traffic for inspection.
In release 6.0, the names of some of the features have been changed for a better user-experience.
Before you proceed further, familiarize yourself with these changes. See Reviewing the upgrade
requirements, Upgrade Guide.
See also
Reviewing the upgrade requirements on page 31
Upgrade paths to a heterogeneous environment
This section provides some example scenarios to help you understand the possible upgrade paths to a
heterogeneous environment. Correlate these scenarios with yours to derive an upgrade path for your
deployment.
10
McAfee® Network Security Platform 6.1 Upgrade Guide
Managing a Heterogeneous Environment
Upgrade paths to a heterogeneous environment
Sample Scenarios
The following are the list of sample scenarios. Proceed to the one that matches your deployment.
Though the sample scenarios predominantly feature only the I-series and M-series Sensors, a 6.0
Manager can manage the N-450 and Network Threat Behavior Analysis (NTBA) appliances as well.
Scenarios involving the Central Manager
The following scenarios involve the Central Manager. If you do not have a Central Manager deployed,
you can proceed to Scenarios involving the Manager.
• Upgrade from a homogeneous 5.1 Manager environment to a heterogeneous 6.0 Manager
environment:
• Scenario 1: MDR setup
• Scenario 2: Standalone setup
• Upgrade from a heterogeneous 5.1 Manager environment to a heterogeneous 6.0 Manager
environment:
• Scenario 3: MDR setup
2
• Scenario 4: Standalone setup
Upgrade requirements for the scenarios listed above
• The Central Manager must be of version 5.1.11.22 or above. See the 4.1 to 5.1 Upgrade Guide for
information on how to upgrade the Central Manager to a 5.1 version.
• As a best practice, upgrade any 4.1 Managers to 5.1.11.22 or a higher 5.1 version. Also, upgrade
the 4.1 Sensors to the corresponding 5.1 version. So, before you begin your 6.0 upgrade, ensure
there are no 4.1 Managers or Sensors in your deployment.
See also
Scenarios involving the Manager on page 15
Scenario 2 on page 12
Scenario 3 on page 13
Scenario 4 on page 14
Scenario 1
This scenario is about an upgrade from a homogeneous 5.1 Manager environment to a heterogeneous
6.0 Manager environment managed by an MDR pair of Central Managers.
McAfee® Network Security Platform 6.1 Upgrade Guide
11
2
Managing a Heterogeneous Environment
Upgrade paths to a heterogeneous environment
The upgrade path for this scenario is as follows:
1
Upgrade the Central Manager MDR pair to the latest 6.0 version. See Upgrading the Central
Manager.
2
Upgrade the required Manager MDR pairs to the latest 6.0 version. See Upgrading the Manager.
3
Upgrade the required Sensors to the latest 6.0 version. See Performing Signature Set and Sensor
Software Upgrade.
See also
Upgrading the Central Manager on page 3
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
Scenario 2
This scenario is about an upgrade from a homogeneous 5.1 Manager environment to a heterogeneous
6.0 Manager environment managed by a standalone Central Manager.
12
McAfee® Network Security Platform 6.1 Upgrade Guide
Managing a Heterogeneous Environment
Upgrade paths to a heterogeneous environment
The upgrade path for this scenario is as follows:
1
Upgrade the standalone Central Manager to the latest 6.0 version. See Upgrading the Central
Manager.
2
Upgrade the required Managers to the latest 6.0 version. See Upgrading the Manager.
3
Upgrade the required Sensors managed by the 6.0 Managers. See Performing Signature Set and
Sensor Software Upgrade.
2
See also
Upgrading the Central Manager on page 3
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
Scenario 3
This scenario is about an upgrade from a heterogeneous 5.1 Manager environment to a heterogeneous
6.0 Manager environment managed by an MDR pair of Central Managers.
The upgrade path for this scenario is as follows:
1
Upgrade all the 4.1 Managers to 5.1.11.22 or above. However, note that the Central Manager must
be of the same or higher version than the Managers. See the 4.1 to 5.1 Upgrade Guide for the details.
2
After you upgrade the 4.1 Managers to 5.1, ensure they are up and functioning as configured.
3
Upgrade the 4.1 Sensors to the relevant 5.1 version. See the 4.1 to 5.1 Upgrade Guide for details.
4
After you upgrade the 4.1 Sensors to a 5.1 version, do a manual synchronization. Then, ensure the
Sensors are up and functioning as configured.
Make sure there are no 4.1 Managers or Sensors when you begin to upgrade to 6.0.
McAfee® Network Security Platform 6.1 Upgrade Guide
13
2
Managing a Heterogeneous Environment
Upgrade paths to a heterogeneous environment
5
Upgrade the Central Manager MDR pair to the latest 6.0 version. See Upgrading the Central
Manager.
6
Upgrade the required Manager MDR pairs to the latest 6.0 version. See Upgrading the Manager.
7
Upgrade the required Sensors to the latest 6.0 version. See Performing Signature Set and Sensor
Software Upgrade.
See also
Upgrading the Central Manager on page 3
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
Scenario 4
This scenario is about an upgrade from a heterogeneous Manager environment in 5.1 to a
heterogeneous Manager environment in 6.0, managed by a standalone Central Manager.
The upgrade path for this scenario is as follows:
1
Upgrade all the 4.1 Managers to 5.1.11.22 or above. However, note that the Central Manager must
be of the same or higher version than the Managers. See the 4.1 to 5.1 Upgrade Guide for the details.
2
After you upgrade the 4.1 Managers to 5.1, ensure they are up and functioning as configured.
3
Upgrade the 4.1 Sensors to the relevant 5.1 version. See the 4.1 to 5.1 Upgrade Guide for details.
4
After you upgrade the 4.1 Sensors to a 5.1 version, do a manual synchronization. Then, ensure the
Sensors are up and functioning as configured.
Make sure there are no 4.1 Managers or Sensors when you begin to upgrade to 6.0.
14
McAfee® Network Security Platform 6.1 Upgrade Guide
Managing a Heterogeneous Environment
Upgrade paths to a heterogeneous environment
5
Upgrade the standalone Central Manager to the latest 6.0 version. See Upgrading the Central
Manager.
6
Upgrade the required Managers to the latest 6.0 version. See Upgrading the Manager.
7
Upgrade the required Sensors to the latest 6.0 version. See Performing Signature Set and Sensor
Software Upgrade.
See also
Upgrading the Central Manager on page 3
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
2
Scenarios involving the Manager
Upgrade requirements for the scenarios listed in this section
• The Manager must be of version 5.1.11.22 or above. See the 4.1 to 5.1 Upgrade Guide for
information on how to upgrade the Manager to a 5.1 version.
• As a best practice, upgrade any 4.1 Sensors to the corresponding 5.1 version. So, before you begin
your upgrade to 6.0, ensure there are no 4.1 Sensors in your deployment.
The following are the scenarios in this section:
• Upgrade from a homogeneous Sensor environment in 5.1 to a heterogeneous Sensor environment
in 6.0:
• Scenario 5: MDR setup
• Scenario 6: Standalone Manager setup
• Upgrade from a heterogeneous Sensor environment in 5.1 to a heterogeneous Sensor environment
in 6.0:
• Scenario 7: MDR setup
• Scenario 8: Standalone Manager setup
If the Manager is of version 6.0.7.x or above, then I-series Sensors do not support NAC regardless of
the Sensor software version.
See also
Scenario 5 on page 16
Scenario 8 on page 18
Scenario 6 on page 16
McAfee® Network Security Platform 6.1 Upgrade Guide
15
2
Managing a Heterogeneous Environment
Upgrade paths to a heterogeneous environment
Scenario 5
This scenario is about an upgrade from a homogeneous Sensor environment in 5.1 to a heterogeneous
Sensor environment in 6.0, managed by an MDR pair of Managers.
The upgrade path for this scenario is as follows:
1
Upgrade the Manager MDR pair to the latest 6.0 version. See Upgrading the Manager.
2
Upgrade the required Sensors to the latest 6.0 version. See Performing Signature Set and Sensor
Software Upgrade.
See also
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
Scenario 6
This scenario is about an upgrade from a homogeneous Sensor environment in 5.1 to a heterogeneous
Sensor environment in 6.0, managed by a standalone Manager.
16
McAfee® Network Security Platform 6.1 Upgrade Guide
Managing a Heterogeneous Environment
Upgrade paths to a heterogeneous environment
The upgrade path for this scenario is as follows:
1
Upgrade the standalone Manager to the latest 6.0 version. See Upgrading the Manager.
2
Upgrade the required Sensors to the relevant 6.0 version. See Performing Signature Set and
Sensor Software Upgrade.
See also
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
Scenario 7
This is about an upgrade from a heterogeneous Sensor environment in 5.1 to a heterogeneous Sensor
environment in 6.0, managed by an MDR pair of Managers.
2
The upgrade path for this scenario is as follows:
1
Upgrade all the 4.1 Sensors to a relevant 5.1 software version. See the 4.1 to 5.1 Upgrade Guide
for details.
Make sure there are no 4.1 Sensors added to the Managers when you begin to upgrade to 6.0; else,
the Manager upgrade will fail.
2
After you upgrade the 4.1 Sensors to a 5.1 version, do a manual synchronization. Then, ensure the
Sensors are up and functioning as configured.
3
Upgrade the Manager MDR pair to the latest 6.0 version. See Upgrading the Manager.
4
Upgrade the required Sensors to the latest 6.0 version. See Performing Signature Set and Sensor
Software Upgrade.
McAfee® Network Security Platform 6.1 Upgrade Guide
17
2
Managing a Heterogeneous Environment
Feature-support matrix for heterogeneous environments
See also
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
Scenario 8
This is about an upgrade from a heterogeneous Sensor environment in 5.1 to a heterogeneous Sensor
environment in 6.0, managed by a standalone Manager.
The upgrade path for this scenario is as follows:
1
Upgrade all the 4.1 Sensors to a relevant 5.1 software version. See the 4.1 to 5.1 Upgrade Guide
for details.
Make sure there are no 4.1 Sensors added to the Manager when you begin to upgrade to 6.0; else,
the Manager upgrade will fail.
2
After you upgrade the 4.1 Sensors to a 5.1 version, do a manual synchronization. Then, ensure the
Sensors are up and functioning as configured.
3
Upgrade the standalone Manager to the latest 6.0 version. See Upgrading the Manager.
4
Upgrade the required Sensors to the latest 6.0 version. See Performing Signature Set and Sensor
Software Upgrade.
See also
Upgrading the Manager on page 3
Performing Signature Set and Sensor Software upgrade on page 3
Feature-support matrix for heterogeneous environments
This section provides the feature-support matrix and the points that you should note when you work in
a heterogeneous environment in Network Security Platform 6.0. The following table contains the
major feature x Sensor software version x Sensor model matrix:
18
McAfee® Network Security Platform 6.1 Upgrade Guide
Loading...