Thomas Jones

Lessons Learned - Netwitness Upgrade 5.1.1 to 6.1.1

Blog Post created by Thomas Jones Employee on Dec 5, 2016

Recently I performed a fairly large upgrade from 10.5.1.1 to 10.6.1.1 and wanted to share my experience.

 

Environment - 76 Devices (Netwitness Head, Decoders (Log and Packet), Concentrators (Log and Packet), Archivers, ESA, VLCs, Warehouse).

 

Locations - Asia, North America, South America

 

Upgrade Path - 10.5.1 --> 10.6.0 --> 10.6.1 --> 10.6.1.1

 

Overall, would rate the upgrade on a scale 1-10 (10 best) -- 7 - ease, errors, etc.

 

First and foremost... this upgrade takes time, even without problems, so be sure to allocate enough time.  For me, each version jump took one day (long day).  Most of the time was spent watching it upload the files to the components.  Limited by 8 simultaneous sessions. 

 

Second, we experienced several instances when rebooting... the hosts stopped and we had to manually reboot them.

 

Third, be prepared for possible unexpected problems.  My experience was minimal but there were several instances where we had to dig in and research issues.

 

Finally, do your prep work.

 

1. Stage the upgrade files... once you get to 10.6 you can upload the files directly from your PC.

2. Open port 50022 if applicable

3. Reboot all host prior to upgrade --> baseline the hosts and ensure everything is running correctly.

4. Backup your malware config

5. Backup Config - backup.sh

6. If you have a warehouse --> stop the streams

7. Stop data collection and aggregation

8. Check puppet on all devices

9. Set notifications to false if applicable

10.  Most importantly - BE PATIENT - the new code may take a couple minutes to process.

 

Hope this helps and good luck.

 

Tom J

Outcomes