Upgrading Forum Sentry

Introduction

This article describes the process for an "in-place" upgrade for all of the available Forum Sentry form factors. This includes instructions for upgrading hardware appliances, virtual appliances, AWS AMI instances, and software instances. Downgrade (rollback) information is also included.

An "in-place" upgrade is applying a new version on top of an existing - as opposed to a migration of the configuration from one Sentry instance to another.

With all production upgrades it is strongly recommended that Administrators follow the Best Practices for Change Procedures.

 

IMPORTANT NOTES: 

v9.1 Migration - Due to the substantial number of code changes in Forum Sentry v.9.1 release, customers should be advised that upgrades from v8.x to v9.1 represent a major upgrade procedure and there may be backward compatibility impacts on critical policy components.  Unlike minor patch release upgrades, Forum Systems does not guarantee policies will work consistently with in-place upgrades from v8.x to v9.1 or via migrating v8.x policies to v9.1 using configuration export/import (FSG or FSX).  

To reduce the risk of policy corruption and ensure business continuity, Forum Systems offers professional services for migrating v8.x configurations to v9.1.  These services include modernization of policies to the new v9.1 formats and ensuring no loss of functionality and no risk of instability from legacy v8.x policies.   Forum Systems certified engineers will work closely with your team to plan and deliver a smooth migration to the latest Forum Sentry v9.1.   

Many of our customers have taken advantage of our upgrade services to significantly improve product performance, enhance security, and increase ROI.  We strongly recommend engaging our team of experts to ensure your upgrade is seamless.     

 

Database Schema Upgrades - With Sentry version upgrades it may be necessary to also upgrade the database schema for any databases used by Sentry.  The latest database schemas are always available to download through the WebAdmin database within the Data Source policy.  Please contact Forum Systems Support for more information or if you have any questions before upgrading.

 

Licensing - Upgrading any non-hardware instance of Sentry from to v9.1 from any previous version will require a new license.  This includes software, virtual appliance, and AMI instances of Sentry. Please contact Forum Systems Support to obtain the necessary license before upgrading.

 

ForumOS Packages to Use - When downloading upgrade packages for your Sentry virtual and hardware appliances, be sure to select the correct package for your ForumOS version. The ForumOS v4.X and later require the 556X packages. The ForumOS v3.X and earlier require the 456X packages.

 For more information see the FAQ: Which Sentry Upgrade Package Should I Use

 

Forum Sentry Form Factors

Forum Sentry is available in 4 different form factors. Follow the upgrade procedure for the type of Sentry instance you are upgrading.

  1. Hardware Appliance - physical device shipped from Forum Systems running the ForumOS
  2. Virtual Appliance - downloaded OVA file runs on VMware technology running the ForumOS
  3. AWS AMI - AWS hosted instance of the virtual appliance running the ForumOS
  4. Software Instance - downloaded packages for Windows, Linux, or Solaris - installed on your own OS (virtual machine, cloud, or otherwise)

For links to the latest releases, please contact support@forumsys.com or create a new ticket on the Help Desk site.

Note that different upgrade packages are used for different form factors.

The latest Release Notes can always be found here: Sentry Release Notes.

 

 

Upgrading Forum Sentry Hardware Appliances

IMPORTANT NOTES: 

1. Serial console access to the appliance (to access the ForumOS CLI) is not required for the upgrade procedure.  However, if there are connectivity issues with the device after the upgrade, the console access may be required for troubleshooting. For this reason, Forum Systems recommends ensuring serial console and/or physical access to the device is available for the upgrade window.

2. Upgrading over a VPN is not recommended as the upgrade package file upload/download process may break without any indication of failure. The Sentry Audit log should show an upgrade failure, but it may not be immediately clear the cause of the issue was  network hiccup during the upload.  If there are file upload issues, access the WebAdmin from a system in the same network as Sentry (e.g. a jump box) and initiate the upgrade there.

Option 1 – Upgrade via WebAdmin Interface with file upload

  1. Export the current configuration on the System>>Configuration>>Import/Export screen.
  2. Export the Network Settings via the FSB Bootstrap file. This is done via the ForumOS CLI and requires serial console access. The export is done via ZMODEM transfer.
  3. On the System>>Configuration>>Upgrade page, browse to the Image and Fingerprint files (.bin and .fsf files), leave the Image URL field blank, and click Upgrade.
  4. The WebAdmin interface will auto-refresh while the packages are transferred to the appliance and installed. When the upgrade is complete the appliance will reboot automatically, ultimately bringing the user back to the login page.

 Option 2 – Upgrade via WebAdmin Interface with file download

  1. Export the current configuration on the System>>Configuration>>Import/Export screen.
  2. Export the Network Settings via the FSB Bootstrap file. This is done via the ForumOS CLI and requires serial console access. The export is done via ZMODEM transfer.
  3. On the System>>Configuration>>Upgrade page, in the Image URL field put the full path to the .bin file stored on an anonymous HTTP server. For instance, enter something similar to:  http://www.forumsys.com/downloads/example/somepath-9.1-299.upgrade.bin
  4. The WebAdmin interface will auto-refresh while the packages are downloaded and installed. When the upgrade is complete the appliance will reboot automatically, ultimately bringing the user back to the login page.

 Option 3 – Upgrade via the CLI Interface

  1. Export the current configuration on the System>>Configuration>>Import/Export screen of the WebAdmin interface.
  2. Export the Network Settings via the FSB Bootstrap file. This is done via the ForumOS CLI and requires serial console access. The export is done via ZMODEM transfer.
  3. Access the Forum CLI via SSH or Serial Console and Enter Enable Mode.
  4. Run the CLI command: “management upgrade-software”
  5. Enter the Protocol: HTTP or FTP
  6. Enter the Server: Must be an HTTP or FTP server that allows Anonymous Access.
  7. Enter the package file name, using the full path to the .bin file. For instance: /temp/FS-ENVT-8.3.464.upgrade.bin
  8. The appliance will download the files from the specified location and then apply the packages. The appliance will reboot automatically when finished installing the upgrade packages.

Upgrading Forum Sentry Virtual Appliances

IMPORTANT NOTES: 

1. VMware console access to the virtual appliance (to access the ForumOS CLI) is not required for the upgrade procedure.  However, if there are connectivity issues with the device after the upgrade, the console access may be required for troubleshooting. For this reason, Forum Systems recommends ensuring vm console access to the virtual appliance is available for the upgrade window.

2. Upgrading over a VPN is not recommended as the upgrade package file upload/download process may break without any indication of failure. The Sentry Audit log should show an upgrade failure, but it may not be immediately clear the cause of the issue was  network hiccup during the upload.  If there are file upload issues, access the WebAdmin from a system in the same network as Sentry (e.g. a jump box) and initiate the upgrade there.

Option 1 – Upgrade via WebAdmin Interface with file upload

  1. Export the current configuration on the System>>Configuration>>Import/Export screen.
  2. On the System>>Configuration>>Upgrade page, browse to the Image and Fingerprint files (.bin and .fsf files), leave the Image URL field blank, and click Upgrade.
  3. The WebAdmin interface will auto-refresh while the packages are transferred to the appliance and installed. When the upgrade is complete the appliance will reboot automatically, ultimately bringing the user back to the login page.

 Option 2 – Upgrade via WebAdmin Interface with file download

  1. Export the current configuration on the System>>Configuration>>Import/Export screen.
  2. On the System>>Configuration>>Upgrade page, in the Image URL field put the full path to the .bin file stored on an anonymous HTTP server. For instance, enter something similar to:  http://www.forumsys.com/downloads/example/somepath-8.1-299.upgrade.bin
  3. The WebAdmin interface will auto-refresh while the packages are downloaded and installed. When the upgrade is complete the appliance will reboot automatically, ultimately bringing the user back to the login page.

 Option 3 – Upgrade via the CLI Interface

  1. Export the current configuration on the System>>Configuration>>Import/Export screen of the WebAdmin interface.
  2. Access the Forum CLI via SSH or Serial Console and Enter Enable Mode.
  3. Run the CLI command: “management upgrade-software”
  4. Enter the Protocol: HTTP or FTP
  5. Enter the Server: Must be an HTTP or FTP server that allows Anonymous Access.
  6. Enter the package file name, using the full path to the .bin file. For instance: /temp/FS-ENVT-8.3.464.upgrade.bin
  7. The appliance will download the files from the specified location and then apply the packages. The appliance will reboot automatically when finished installing the upgrade packages.

Upgrading the Forum Sentry AWS AMI

IMPORTANT NOTES: 

1. SSH console access to the AMI (to access the ForumOS CLI) is not required for the upgrade procedure.  However, if there are connectivity issues with the device after the upgrade, the console access may be required for troubleshooting. For this reason, Forum Systems recommends ensuring SSH console access to the AMI is available for the upgrade window.

2. Upgrading over a VPN is not recommended as the upgrade package file upload/download process may break without any indication of failure. The Sentry Audit log should show an upgrade failure, but it may not be immediately clear the cause of the issue was  network hiccup during the upload.  If there are file upload issues, access the WebAdmin from a system in the same network as Sentry (e.g. a jump box) and initiate the upgrade there.

Option 1 – Upgrade via WebAdmin Interface with file upload

  1. Export the current configuration on the System>>Configuration>>Import/Export screen.
  2. On the System>>Configuration>>Upgrade page, browse to the Image and Fingerprint files (.bin and .fsf files), leave the Image URL field blank, and click Upgrade.
  3. The WebAdmin interface will auto-refresh while the packages are transferred to the appliance and installed. When the upgrade is complete the appliance will reboot automatically, ultimately bringing the user back to the login page.

 Option 2 – Upgrade via WebAdmin Interface with file download

  1. Export the current configuration on the System>>Configuration>>Import/Export screen.
  2. On the System>>Configuration>>Upgrade page, in the Image URL field put the full path to the .bin file stored on an anonymous HTTP server. For instance, enter something similar to:  http://www.forumsys.com/downloads/example/somepath-8.1-299.upgrade.bin
  3. The WebAdmin interface will auto-refresh while the packages are downloaded and installed. When the upgrade is complete the appliance will reboot automatically, ultimately bringing the user back to the login page.

 Option 3 – Upgrade via the CLI Interface

  1. Export the current configuration on the System>>Configuration>>Import/Export screen of the WebAdmin interface.
  2. Access the Forum CLI via SSH or Serial Console and Enter Enable Mode.
  3. Run the CLI command: “management upgrade-software”
  4. Enter the Protocol: HTTP or FTP
  5. Enter the Server: Must be an HTTP or FTP server that allows Anonymous Access.
  6. Enter the package file name, using the full path to the .bin file. For instance: /temp/FS-ENVT-8.3.464.upgrade.bin
  7. The appliance will download the files from the specified location and then apply the packages. The appliance will reboot automatically when finished installing the upgrade packages.

Upgrading the Forum Systems Software Instances

The Sentry software installation is a wizard based install package with simple to follow steps for installing on the target machine. When the installation is completed per the steps below, the Web Administration interface will be able to be accessed from a web browser on that machine using the address: https://127.0.0.1:5050.

If you have not yet obtained a license key for Sentry, the initial login page at the link above will provide instructions for obtaining and applying a Sentry license.

The instructions for installing the software instances can also be used for upgrading the software instances.

IMPORTANT NOTE:  Any customization made to the Sentry config.properties files (for instance increasing the JVM RAM option) will be lost upon upgrading the Sentry software instance.  It is recommended that you make these changes again manually after the upgrade, rather than copying/restoring the existing c

config.properties file – this is to account for any changes to the config.properties file with a new release.

Upgrading on Windows: 

  1. Export your current configuration (FSX file) from the System>>Configuration>>Import/Export screen of the WebAdmin interface.
  2. Stop the “Forum Sentry” Windows service.
  3. Navigate your file system and click on the downloaded installation package.
  4. The installation package Introduction screen will appear.  Click Next.
  5. The License Agreement screen appears. 
  6. Read the product License Agreement terms and conditions.  To accept the License Agreement, check the I accept the terms of the license agreement radio button, and then click Next.
  7. The Choose Install Set screen appears.  Click Next.
  8. The Choose Install Folder screen appears.  Use the default location or enter a new location to install the software and click Next
  9. The Pre-Installation Summary  screen displays a summary of install options.  Click Install to begin the installation. 
  10. Once installation is complete, the Install Complete screen appears.  Click Done to configure and start the Forum service.  Your default web browser will be launched to access the Web Administration interface at https://127.0.0.1:5050.
  11. A Security Alert screen appears for the default SSL Certificate used by the Forum service.  Accept this Certificate to access the Web Administration interface.

Upgrading on Linux or Solaris: 

  1. Export your current configuration (FSX file) from the System>>Configuration>>Import/Export screen of the WebAdmin interface.
  2. Stop the “xmlserver” daemon with the command: service xmlserver stop
  3. Navigate your file system and set the downloaded package to be executable (chmod +x).
  4. Run the installation file (./<install-file>.bin).  The Introduction screen will appear.  Verify you have the appropriate minimum system requirements and are logged in as root.  Press <ENTER> to continue.
  5. Read the license agreement and choose whether to accept it.
  6. Press <ENTER> to accept the default Install Set.
  7. Press <ENTER> to accept the default location, or specify the install location.
  8. Review the Pre-Installation Summary and press <ENTER> to continue.
  9. Press <ENTER> again to install to the location specified.
  10. Press <ENTER> to complete the install.
  11. To start the daemon, type: service xmlserver start.
  12. To stop the daemon, type: service xmlserver stop.
  13. Once the daemon has started, access the Web Administration interface through a web browser at https://127.0.0.1:5050.
  14. A Security Alert screen appears for the default SSL Certificate used by the Forum service.  Accept this Certificate to access the Web Administration interface.

 

 

Downgrading Forum Sentry

In the rare event that an unrecoverable issue is discovered after upgrading Sentry, administrators may want to rollback to the previous version.  The downgrade / rollback procedure is the same for ForumOS, but is different for software instances.

IMPORTANT NOTE:  A downgrade of the virtual appliance, hardware appliance, and AMI will require a factory reset after the downgrade - to clear the configuration. After the factory reset is done, the saved config (FSX file) from before the upgrade should be imported into the system. With HSM model appliances (e.g. 4564, 4564revB) a factory reset may include re-configuring the Security World. This will require physical access with the Security World admin card, card reader, card password, and bootstrap file.

 

Downgrading the Forum Sentry Hardware Appliances: 

  1. If downgrading from/to a major version (i.e. v8 to v7) you'll first need to run the hidden CLI command from Enable Mode: disableVersionCheck
  2. If downgrading from/to a minor version (i.e. v8.3 to 8.1) the disableVersionCheck command is not necessary
  3. Follow the upgrade instructions outlined in this article, but use the older packages for the version you want to downgrade to
  4. After the downgrade, factory reset using the CLI command from Enable Mode: system config factory-reset
  5. Configure the device network settings and/or Security World
  6. Import the saved configuration from before the upgrade

Downgrading the Sentry Virtual Appliances: 

  1. If downgrading from/to a major version (i.e. v8 to v7) you'll first need to run the hidden CLI command from Enable Mode: disableVersionCheck
  2. If downgrading from/to a minor version (i.e. v8.3 to 8.1) the disableVersionCheck command is not necessary
  3. Follow the upgrade instructions outlined in this article, but use the older packages for the version you want to downgrade to
  4. After the downgrade, factory reset using the CLI command from Enable Mode: system config factory-reset
  5. Import the saved configuration from before the upgrade

Downgrading the Sentry AWS AMI: 

  1. If downgrading from/to a major version (i.e. v8 to v7) you'll first need to run the hidden CLI command from Enable Mode: disableVersionCheck
  2. If downgrading from/to a minor version (i.e. v8.3 to 8.1) the disableVersionCheck command is not necessary
  3. Follow the upgrade instructions outlined in this article, but use the older packages for the version you want to downgrade to
  4. After the downgrade, factory reset using the CLI command from Enable Mode: system config factory-reset
  5. Import the saved configuration from before the upgrade

Downgrading the Sentry Software Instances on Linux/Solaris: 

  1. Stop the Sentry service "xmlserver"
  2. Copy off the license key out of the directory /xmlserver/config/license.xml
  3. Remove the Forum Systems directory (or rename)
  4. Install old version
  5. Access WebAdmin and import license when prompted
  6. Import saved config from same version

Downgrading the Sentry Software Instances on Windows:

  1. Stop the "Forum Sentry" service
  2. Copy off the license key out of the directory \xmlserver\config\license.xml
  3. Remove Forum Sentry via Add/Remove Programs
  4. Remove or rename the \Forum Systems directory
  5. Install old version
  6. Import license when prompted
  7. Import saved config from same version

 

0 Comments

Article is closed for comments.