Upgrade Deep Security Manager

Upgrade Deep Security Manager before you upgrade Deep Security Relays, Agents, and Virtual Appliances.

Topics:

Before you begin

Make sure you have completed these pre-upgrade tasks:

  1. Check that you're upgrading from a supported version. You can upgrade to Deep Security 12.5 from:
    • Deep Security 10 LTS (GA version or LTS updates)
    • Deep Security 11 LTS (GA version or LTS updates)
    • Deep Security 11 Feature Releases (11.1, 11.2, 11.3)
    • Deep Security 12 LTS (GA version or LTS updates)
    • Deep Security 12 Feature Releases (any build released in the previous 18 months)
  2. Back up your deployment:
    • Back up the manager. Make a system restore point or VM snapshot of the server.
    • Back up the manager's database on the database server. The upgrade might make changes to the database schema, so the original database must be backed up.
    • Verify your backups. If you don't have backups, and the installer is interrupted for any reason, you won't be able to revert your deployment. This could require you to re-install your entire deployment.
  3. Check system requirements for the new manager: See System requirements.
  4. Download the manager software: It's available at https://help.deepsecurity.trendmicro.com/software.html.
  5. Check the digital signature on the manager's installer file: See Check the signature on installer files (EXE, MSI, RPM or DEB files).
  6. Run the readiness check: See Run a readiness check.

Upgrade the manager

To upgrade the manager, see Install the manager. The referred-to installation instructions will work equally well for upgrades.

Upgrade the manager if it's more than two releases old

The manager's installer only supports upgrading from two major releases back, so if you're currently on a manager version that's older than that, the upgrade path involves a couple of 'hops': the first hop gets to a version that's a little more recent, and the next gets you to the latest version.

For instructions on how to upgrade from an old manager to a newer one, see the installation guide for the latter:

Access documentation for other versions

Upgrade the manager in a multi-node deployment

  1. Back up each manager node. Make a system restore point or VM snapshot of the server.
  2. Stop all nodes.
  3. Upgrade the manager on the first node.

    Never run the installer on multiple nodes at the same time. Simultaneous upgrades can corrupt the database. If this happens, you must restore the database backup, then start the upgrade again.

  4. When upgrade is complete for the first node, its service will start. Until other nodes are also upgraded, it will be the only node whose software is compatible with the database, so initially it will be the only available manager. Because it must perform all jobs, you might notice that performance is reduced during this time. On Administration > System Information, Network Map with Activity Graph will indicate that other nodes are offline, and that they require an upgrade.
  5. Upgrade other nodes. As you upgrade them, they will return online, and begin to share the load again.
  6. If you configured a custom master key, run the masterkey commands to encrypt existing data on only one of the nodes.
  1. Add a node. See Add a node.
  2. Decommission the node you want to upgrade. See Remove a node.
  3. Upgrade the OS of the decommissioned node, then return it to the pool.
  4. Repeat these steps with any other nodes that have an unsupported OS.

Upgrade the manager in a multi-tenant environment

See Upgrade a multi-tenant environment for details.

What happens when you upgrade?

When you upgrade, the installer does the following:

  • installs new Deep Security software
  • keeps existing computer details, policies, intrusion prevention rules, firewall rules, and so on
  • migrates data to new formats, if required
  • makes changes to the database schema, if required
  • begins migrating event data

When you exit the installer, the upgrade continues. The following occurs:

  • the manager service is restarted
  • the manager continues to migrate event data into the new database schema

    Progress is indicated in the status bar at the bottom of the window, in new events, and (if an error occurs) alerts. Total migration time varies by the amount of data, disk speed, RAM, and processing power.

  • new event data is still recorded, as usual, while the event data is migrated

    Until database upgrade migration is complete, results which include older system event data may be incomplete.

Additional tasks are performed during a multi-node or multi-tenant upgrade. For details, see Upgrade the manager in a multi-node deployment and Upgrade the manager in a multi-tenant environment.

Post-upgrade tasks

After the upgrade, complete the following tasks.

  • (Optional) Replace the server certificate

    After the upgrade, the manager's server certificate is kept, unless you performed a fresh install. If your certificate was created using a weak cryptographic algorithm, such as SHA-1, consider replacing the certificate. Using stronger cryptography ensures compliance with the latest standards, and provides better protection against the latest exploits and attacks. See Upgrade the Deep Security cryptographic algorithm and Replace the Deep Security Manager TLS certificate.

  • (Optional) Remove and re-add vCenter

    If you are using Deep Security Virtual Appliance on NSX-T 3.x, make sure to remove vCenter and re-add it to register the updated services. The services that will be registered are:

    • E-W Network Introspection
    • Endpoint Protection

Troubleshoot the manager upgrade (log files)

If the schema changes are interrupted for any reason, errors are logged in:

<install-directory>/DBUpgrade/SchemaUpdate

where the default <install-directory> is /opt/dsm (Linux) or C:\Program Files\Trend Micro\Deep Security Manager (Windows).

Within the above directory, two types of files are created:

  • T-00000-Plan.txt - This file contains all data definition language (DDL) SQL statements that the installer will use to update the schema.
  • T-00000-Progress.txt - This file contains the schema update progress logs. When the installer is finished, it changes the file name to either T-00000-Done.txt (successful update) or T-00000-Failed.txt (update failure).

In a multi-tenant environment, the "00000" in the file name is replaced with the tenant number, such as "00001" for tenant t1.

Roll back an unsuccessful upgrade of the manager

If problems occur when you upgrade to Deep Security Manager 12.5, you can quickly revert to a functional state if you:

  • Backed up the database before the upgrade
  • Didn't upgrade the agents, relays, or virtual appliances yet (or have VM snapshots or system backups that you made before the upgrade)
  1. Stop the Deep Security Manager service.
  2. Restore the database.
  3. Restore all Deep Security Manager server nodes.
  4. If you changed the hostname, FQDN, or IP address of the Deep Security Manager during the upgrade, restore them.
  5. Restore the agents, relays, and virtual appliances.
  6. Start the Deep Security Manager service.
  7. Verify connectivity to the Deep Security Manager, including the connection between the manager and agents.