Upgrade Deep Security Manager

Upgrade Deep Security Manager before you upgrade Deep Security Relays, Agents, and Virtual Appliances.


Before you begin

Complete these tasks before you upgrade the manager:

  1. Check that you're upgrading from a supported version. For details on supported versions, see Supported upgrade paths.
  2. Back up your deployment:
    • Back up the manager. Make a system restore point or VM snapshot of the server.
    • Back up the manager's database on the database server. The upgrade might make changes to the database schema, so the original database must be backed up.
    • Verify your backups. If you don't have backups, and the installer is interrupted for any reason, you won't be able to revert your deployment. This could require you to re-install your entire deployment.
  3. Check system requirements and sizing guidelines for the new manager: See System requirements and Sizing.

    The sizing guidelines for Deep Security 20 are different from those for Deep Security 12. Check that your current environment meets the guidelines for Deep Security 20 before upgrading.

  4. Download the manager software: It's available at https://help.deepsecurity.trendmicro.com/software.html.
  5. Check the digital signature on the manager's installer file: See Check the signature on installer files (EXE, MSI, RPM or DEB files).
  6. Run the readiness check: See Run a readiness check.

Upgrade the manager

To upgrade the manager, see Install the manager. The referred-to installation instructions will work equally well for upgrades.

When upgrading from Deep Security 11, if you use Microsoft SQL Server, a data migration step has been added to the installer because the primary key of various tables, including System Events, have been updated from Integer to BigInt in order to avoid reaching the maximum integer value.

Maintenance windows might need to be longer in some cases. Time required varies by database load, network bandwidth and latency, and the number of existing system events to migrate. Estimate 50,000 - 150,000 system events per minute.

Upgrade the manager if it's more than two releases old

The manager's installer only supports upgrading from two major releases back, so if you're currently on a manager version that's older than that, the upgrade path involves a couple of 'hops': the first hop gets to a version that's a little more recent, and the next gets you to the latest version.

For instructions on how to upgrade from an old manager to a newer one, see the installation guide for the latter:

Get documentation for other versions

Upgrade the manager in a multi-node deployment

Upgrade the manager in a multi-tenant environment

See Upgrade a multi-tenant environment for details.

What happens when you upgrade?

When you upgrade, the installer does the following:

  • installs new Deep Security software
  • keeps existing computer details, policies, intrusion prevention rules, firewall rules, and so on
  • migrates data to new formats, if required
  • makes changes to the database schema, if required
  • begins migrating event data

When you exit the installer, the upgrade continues. The following occurs:

  1. The manager service restarts.
  2. The manager continues to migrate event data into the new database schema.

    Progress is indicated in the status bar at the bottom of the window, in new events, and (if an error occurs) alerts. Total migration time varies by the amount of data, disk speed, RAM, and processing power.

  3. New event data is still recorded, as usual, while the event data is migrated.

    Until database upgrade migration is complete, results which include older system event data may be incomplete.

Additional tasks are performed during a multi-node or multi-tenant upgrade. For details, see Upgrade the manager in a multi-node deployment and Upgrade the manager in a multi-tenant environment.

Post-upgrade tasks

After the upgrade, complete the following tasks.

Troubleshoot the manager upgrade (log files)

If the schema changes are interrupted for any reason, errors are logged in:


where the default <install-directory> is /opt/dsm (Linux) or C:\Program Files\Trend Micro\Deep Security Manager (Windows).

Within the above directory, two types of files are created:

  • T-00000-Plan.txt - This file contains all data definition language (DDL) SQL statements that the installer will use to update the schema.
  • T-00000-Progress.txt - This file contains the schema update progress logs. When the installer is finished, it changes the file name to either T-00000-Done.txt (successful update) or T-00000-Failed.txt (update failure).

In a multi-tenant environment, the "00000" in the file name is replaced with the tenant number, such as "00001" for tenant t1.

Roll back an unsuccessful upgrade of the manager

If problems occur when you upgrade to Deep Security Manager 20, you can quickly revert to a functional state if you:

  • Backed up the database before the upgrade
  • Didn't upgrade the agents, relays, or virtual appliances yet (or have VM snapshots or system backups that you made before the upgrade)
  1. Stop the Deep Security Manager service.
  2. Restore the database.
  3. Restore all Deep Security Manager server nodes.
  4. If you changed the hostname, FQDN, or IP address of the Deep Security Manager during the upgrade, restore them.
  5. Restore the agents, relays, and virtual appliances.
  6. Start the Deep Security Manager service.
  7. Verify connectivity to the Deep Security Manager, including the connection between the manager and agents.