Products

Data Loss Prevention

Issue/Introduction

This is an overview for upgrading Symantec DLP and what information is needed for support if an upgrade fails.

Note:

The Oracle Upgrade section below is only required if your Oracle platform is on version 12c. In that case follow that guidance to upgrade to 19c
A Release Update (RU) is a major version upgrade that contains new features/capabilities as well as bug-fixes and likely a DB schema update. The update to the DB schema occurs as part of the Enforce server upgrade
When applying RUs the upgrade order of DLP components must be as shown below in the Resolution section. For example an agent may not be on a more advanced RU version than the detection server to which it reports.

Environment

DLP 15.8 and 16.0, 16.0 RU1, 16.0 RU2

Resolution

There are 4 main components to upgrades:

Oracle Upgrade
Enforce Server
Detection Server
Endpoint Agents
What do I do if an upgrade failed? What does support need to help me?

Each component has a guide that explains the steps in detail on what needs to be done.

Link for additional Help topics:

Online guide for upgrading DLP 16.0 (recommended to go directly to 16.0.2 if possible)

Online guide for upgrading DLP 16.0.1 (16.0 RU1)

Online guide for upgrading DLP 16.0.2 (16.0 RU2)

15.8, see the Upgrade Guide in the 15.8 Related Documents section

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-8/related-documents-15-8.html

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.8_Upgrade_Guide_Win.pdf

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.8_Upgrade_Guide_Lin.pdf

Oracle Upgrade

It is best to follow the Oracle upgrade guide here.

Please make sure to have a cold backup before proceeding.

This is very important.

A Cold backup for DLP includes all of these items occur; stop Oracle services, stop all DLP Enforce services, stop Oracle jobs or allow Oracle jobs to complete and assure a copy of all the database files is made.

Also, assure the good, Cold backup does not get overwritten and is available in a secure location.

Note: Assure that the Upgrade Readiness Tool (URT) is run before and after the Oracle upgrade to make sure the DLP schema for the database is in a consistent state. Assure that the URT run before is reviewed by Symantec Support prior to upgrade efforts.

Oracle has multiple options for upgrading:

Upgrade on the same server

Advantages

- New hardware is not required.

Disadvantages

- Recovery time can be longer.
- Backups issues.
  - If backups are corrupted or were not taken correctly, there is a high probability that all is lost. It is recommended
    - Assure your backups are verified as good backups.
    - Assure your good backups DO NOT become overwritten.

Migrate

Advantages

- Easy recovery.
- Verified good backups.
- If issues occur, you can restart services on the old Oracle server and troubleshoot the problem on the new machine and address it. After this attempt the upgrade again.

Disadvantages

- Need new hardware.
- Time-consuming.

Now there is one more advantage here. You can use the Migrate model as a temporary solution. Let’s say you would like to upgrade Oracle on the same machine but want the advantages under the Migrate section. Let’s say you’re going from 12c to 19c. You can:

1. Migrate the database to new temp Oracle server.
2. Upgrade the database to the new 19c version.
3. Once confirmed working you can uninstall Oracle 12c on the original server and install the 19c and move the database over.
4. Decommission the temp Oracle server once everything is confirmed working.

This method will allow you to take full advantage of the migration method while keeping only one Oracle server.

Import and Export using IMPDP/EXPDP

Advantages

- Decreases the size of the Oracle database. Since you are normally adding and deleting incidents from the database, oracle does not return this free space. This will all get released.

Disadvantages

- Need to run the command manually to first verify the number of rows and then do the import and export. Once imported into the new version you will have to get a list of how many rows were imported and then compare and make sure the numbers match. There should be very little to no differences between the before and after.

For 16, see this Help Topic: Implementing the Database (broadcom.com)

For 15.8, see the "Symantec Data Loss Prevention Oracle 19c Implementation Guide", in the Related Documents section: Related Documents (broadcom.com)

Enforce and Detection Server Pre-Upgrade considerations:

A few items to check prior to the upgrade:

The documentation calls out to assure ALL scheduled jobs are stopped.
Check incident folders on each server for any *.bad files. These should be moved out of the incident folder or deleted.

Enforce Server

High-level steps for an in-place Enforce upgrade include:

Run URT and get this verified by support. You MUST have a successful and verified URT output before you can continue. Failing to do this step can cause an upgrade failure.
Again have a valid cold backup of the Oracle database.
Create a resourcereinstallation.zip - for more info, see Backup best practices for Symantec DLP (broadcom.com).
Make sure to stop any scans that are running (Endpoint or Discover). Requirement for DLP 16.0 Upgrade.
Extract and install Java.
Install the new version of Enforce. This will only install the files and will not move or start services on the new version.
Run the migration utility. The Migration utility is responsible for copying config files and settings from the old version to the new version. The migration utility will also upgrade the database and start the services on the new version.
Install any Maintenance packs and any hotfixes.

Detection Server

High-level steps for Detection upgrade include:

At this point, you should already have Enforce upgraded.
Install Java
Install Detection server
Run the migration utility. There is no database upgrade so this process is usually very fast. All this is doing is copying the config from the old version to the new and starting services.

Upgrade guide listed above.

Endpoint Agents

High-level steps for agent upgrades

Download the latest version of the agent package for that version of DLP.
Generate a new agent package from Enforce. System - Agents - Agent Packaging
Deploy the agent package using the package generated in Step 2.

Upgrade guide listed above.

What do I do if an upgrade failed? What does support need to help me?

Provide URT output. Please provide both of the files that get generated with the output. <URT install folder>\output is where the files will be contained.

What DLP version are you going to and from?

What version of Oracle? Standard or Enterprise?

What version of Windows/RedHat Linux are you running on Enforce and detection servers? Are they compatible with the version of DLP that is being run? Also, have resources been verified like CPU/Memory/Disk?

Have you already tried the upgrade and did it fail?

How many times did you run the upgrade or the migration?
Please provide all logs and screenshots of the issue and any error messages.
Log locations will be provided with the error message seen on the screen.

Please create a ticket and upload logs and screenshots (Zipped into one file) and answers to the above questions. If you can not log in to Enforce after the upgrade navigate to the install directory then '\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.x\logs' zip the whole log directory and add to the case (for RedHat Linux /var/log/Symantec/DataLossPrevention/EnforceServer/15.x/).