High level steps for Upgrading DLP
search cancel

High level steps for Upgrading DLP

book

Article ID: 247415

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

What are the high level steps for upgrading DLP and what do I do if an upgrade fails?

Resolution

There are 4 main components to upgrades:

Each component has a guide that explains the steps in detail on what needs to be done. A link to the full Help topic: Upgrading DLP (broadcom.com)

(For 15.8, see the Upgrade Guide in the Related Documents (broadcom.com).)

 

Oracle Upgrade

Best to follow the Oracle upgrade guide here.  Please make sure to have a cold backup before proceeding.

Cold backup means you need to stop all Oracle services and make sure to make a copy of all the database files. This is very important. Also, make sure this backup does not get overwritten by something else or another backup. 

Note: Please make sure to run URT before and after the Oracle upgrade to make sure the database is in a consistent state.

Now Oracle has multiple options for upgrading:

Upgrade on the same server

            Advantages

      • Don’t need new hardware.

 

            Disadvantages

      • Recovery time is much longer.
      • Backups are not verified. So if backups are corrupted for some reason or they were not taken properly, there is a good chance that all is lost.  So please make sure you have good backups and they do NOT get overwritten.

Migrate

            Advantages

      • Easy recovery.
      • Verified good backups.
      • If issues occur, you can restart services on the old Oracle server and troubleshoot the problem on the new machine and address it. After this attempt the upgrade again as you now know how to most past it.

           

Disadvantages

      • Need new hardware.
      • Time-consuming.

 

Now there is one more advantage here.  You can use the Migrate model as a temporary solution.  Let’s say you would like to upgrade Oracle on the same machine but want the advantages under the Migrate section.  Let’s say you’re going from 12c to 19c.  You can:

      1. Migrate the database to new temp Oracle server.
      2. Upgrade the database to the new 19c version.
      3. Once confirmed working you can uninstall Oracle 12c on the original server and install the 19c and move the database over.
      4. Decommission the temp Oracle server once everything is confirmed working.

This method will allow you to take full advantage of the migration method while keeping only one Oracle server.

Import and Export using IMPDP/EXPDP

            Advantages

      • Decreases the size of the Oracle database. Since you are normally adding and deleting incidents from the database, oracle does not return this free space.  This will all get released.

           

Disadvantages

      • Need to run the command manually to first verify the number of rows and then do the import and export. Once imported into the new version you will have to get a list of how many rows were imported and then compare and make sure the numbers match.  There should be very little to no differences between the before and after.

 

For 16, see this Help Topic: Implementing the Database (broadcom.com)

For 15.8, see the "Symantec Data Loss Prevention Oracle 19c Implementation Guide", in the Related Documents section: Related Documents (broadcom.com)

 

Enforce and Detection Server Pre-Upgrade considerations:

A few items to check prior to the upgrade:

    1. The documentation calls out to assure ALL scheduled jobs are stopped.
    2. Check incident folders on each server for any *.bad files.
      1. These should be moved out of the incident folder or deleted.

Enforce Server

High-level steps for an in-place Enforce upgrade include:

    1. Run URT and get this verified by support. You MUST have a successful and verified URT output before you can continue.  Failing to do this step can cause an upgrade failure.
    2. Again have a valid cold backup of the Oracle database.
    3. Create a resourcereinstallation.zip - for more info, see Backup best practices for Symantec DLP (broadcom.com).
    4. Make sure to stop any scans that are running (Endpoint or Discover).  Requirement for DLP 16.0 Upgrade.
    5. Extract and install Java.
    6. Install the new version of Enforce.  This will only install the files and will not move or start services on the new version.
    7. Run the migration utility. The Migration utility is responsible for copying config files and settings from the old version to the new version. The migration utility will also upgrade the database and start the services on the new version.
    8. Install any Maintenance packs and any hotfixes.

 

 

Detection Server

High-level steps for Detection upgrade include:

    1. At this point, you should already have Enforce upgraded.
    2. Install Java
    3. Install Detection server
    4. Run the migration utility. There is no database upgrade so this process is usually very fast.  All this is doing is copying the config from the old version to the new and starting services. 

Upgrade guide listed above.

 

 

Endpoint Agents

High-level steps for agent upgrades

    1. Download the latest version of the agent package for that version of DLP.
    2. Generate a new agent package from Enforce.  System - Agents - Agent Packaging
    3. Deploy the agent package using the package generated in Step 2.

Upgrade guide listed above.

 

What do I do if an upgrade failed?  What does support need to help me?

  • Provide URT output. Please provide both of the files that get generated with the output. <URT install folder>\output is where the files will be contained.
  • What DLP version are you going to and from?
  • What version of Oracle?  Standard or Enterprise?
  • What version of Windows/RedHat Linux are you running on Enforce and detection servers?  Are they compatible with the version of DLP that is being run?  Also, have resources been verified like CPU/Memory/Disk?
  • Have you already tried the upgrade and did it fail?  
    • How many times did you run the upgrade or the migration?
    • Please provide all logs and screenshots of the issue and any error messages.
    • Log locations will be provided with the error message seen on the screen.  
  • Please create a ticket and upload logs and screenshots (Zipped into one file) and answers to the above questions. If you can not log in to Enforce after the upgrade navigate to the install directory then '\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.x\logs' zip the whole log directory and add to the case (for RedHat Linux /var/log/Symantec/DataLossPrevention/EnforceServer/15.x/).

Additional Information

Full links to downloads for individual guides in DLP 15.8

Windows:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.8_Upgrade_Guide_Win.pdf

Linux:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.8_Upgrade_Guide_Lin.pdf

 

Online guide for upgrading DLP 16.0 (recommend to go directly to 16.0.1 if possible)

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0/Upgrade-DLP.html

 

Online guide for upgrading DLP 16.0.1

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0-1/Upgrade-DLP.html