The instructions in this guide apply to the upgrade of physical hosts to RSA NetWitness® Platform 11.3 exclusively. See the Virtual Host Upgrade Guide for NetWitness Platform 10.6.6.x to 11.3 for instructions on how to upgrade your virtual hosts to 11.3.
NetWitness Platform 11.3 is a major release that affects all products in the NetWitness Platform. The components of the platform are the NetWitness Server (Admin server, Config server, Integration server, Investigate server, Orchestration server, Respond server, Security sever, and Source server), Archiver, Broker, Concentrator, Context Hub, Decoder, Endpoint Log Hybrid, ESA Primary, ESA Secondary, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, UEBA, Warehouse Connector, and Workbench.
Refer to the Getting Started Guide for NetWitness Platform to become familiar with the major changes to the 11.x User interface. Refer to the Deployment Guide to become familiar with the major platform changes in 11.x.
Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
CentOS6 to CentOS7 Upgrade
NetWitness Platform 11.3 is a major release that involves upgrading to a newer version of the operating system (CentOS6 to CentOS7). In addition, the 11.3 platform environment has been improved greatly to accommodate current and future physical and virtual deployment types. These changes require an upgrade to the new environment and an upgrade of the functionality.
RSA NetWitness® Platform 11.3 Upgrade Path
The earliest supported upgrade path for RSA NetWitness® Platform 11.3 is Security Analytics 10.6.6.x. If you are running a version of NetWitness Platform that is prior to 10.6.6.x, you must update to 10.6.6.x before you can upgrade to 11.3. See the RSA Security Analytics 10.6.6 Update Guide (https://community.rsa.com/docs/DOC-95880) on RSA Link.
Supported Host Upgrade Path
You must upgrade a host to the same host type:
- Same Series RSA Physical Appliance to Same Series RSA Physical Appliance (that is, Series 4 to Series 4, Series 5 to Series 5).
RSA does not support third-party physical hosts in 11.3.
- On-Prem Virtual to On-Prem Virtual
Hardware, Deployments, Services, and Features Not Supported in 11.3
RSA does not support upgrade of the following hardware, deployments, services, and features to 11.3.
- RSA All-in-One (AIO) Appliance
- Multiple NetWitness Server Deployment
- IPDB service
- Malware Analysis service co-located on the SA Server (upgrade of Malware Analysis Enterprise is supported in 11.3.)
Standalone Warehouse Connector service (Upgrade of a co-located Warehouse Connector is supported in 11.3.)
Custom Health & Wellness policy in 10.6.x for the Context Hub Service
After you upgrade to NetWitness 11.3, your custom policy is not present. In its place, there is the out-of-the-box Context Hub Server Monitoring Policy in the user interface, which is specific for version 11.3.
- Defense Information Strategic Agency-Security Technical Information Guide (DISA-STIG) hardened deployments.
Warehouse Analytics (Data Science)
Event Stream Analysis (ESA) Upgrade Considerations
In RSA NetWitness® Platform 11.3, RSA changed how ESA Correlation Rules store and transmit the alerts the system generates. In 11.3, ESA sends all alerts to a central Alert system. The local MongoDB storage in ESA 10.6.6.x has been removed.
Upgrade Considerations for ESA Rule Deployments
After you upgrade to 11.3, migrated ESA rule deployments have the following changes.
- If an ESA rule deployment contains two services before you upgrade to 11.3, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version 11.3.
- If an ESA service has multiple ESA rule deployments before you upgrade to 11.3, they are combined into one deployment in version 11.3.
You can still access your old deployments. For a detailed example, see the ESA Configuration Guide for RSA NetWitness Platform 11.3.
RSA recommends that you stagger host upgrades as described in this section. The update to CentOS7 and the need of a physical or iDRAC access cause the 11.3 upgrade to take more time than most upgrades.
You perform Phase 1 first. You must upgrade the hosts in the following order:
- Security Analytics Server host
- Event Stream Analysis hosts
- Malware Analysis hosts
- Broker hosts (if you do not have a Broker, upgrade your Concentrator hosts)
The 11.3 NetWitness Server (NW Server) cannot communicate with 10.6.6.x core services for the new Investigate functionality. This is why you must upgrade the Broker or Concentrator hosts in Phase 1.
Upgrade the rest of your hosts.
RSA recommends that you follow the order in Phase 2 to reduce:
- Functionality loss during investigation.
- Downtime that results in the loss of network and log capture.
This is the Phase 2 host upgrade order recommended by RSA.
- Decoder hosts
- Concentrator hosts
- Archiver hosts
Log Collection hosts - Log Collectors on Log Decoder hosts (LDs), Virtual Log Collectors (VLCs) and Legacy Windows Collectors (LWCs)
Before you upgrade a log collection host, you must prepare it for the upgrade. Part of this preparation ensures that no event data remains in the queues. This requires you to keep the downstream destinations of event data (Log Collectors, Virtual Log Collectors and Log Decoders) up and functioning properly.
If you have event data destinations downstream from the Log Decoder, you must prepare and upgrade Log Collectors in the following order.
LDs (one LD at a time)
VLCs and LWCs
If you do not have event data destinations downstream from the Log Decoder, you can prepare and upgrade multiple LDs, VLCs, and LWCs together.
- All other hosts
See "Running in Mixed Mode" under "The Basics" in the RSA NetWitness Platform Hosts and Services Getting Started Guide for:
- Functionality gaps encountered while running in this mode.
- Examples of staggered upgrades.
Phase 3 (Optional)
After you have upgraded all hosts in your deployment to 11.3, you can install a Warm Standby NW Server. Refer to "Warm Standby NW Server Host" under "Deployment Option Setup Procedures" in the Deployment Guide for NetWitness Platform for 11.3 for instructions on how to set up a Warm Standby NW Server.
Investigate in Mixed Mode
Mixed mode occurs when the NW Server host and Broker hosts are on the latest version (for example, 11.3) and the other core services such as Concentrators and Decoders are on any older version (for example, 10.6.6.x or 11.1.x.x-11.2.x.x). You must follow the host upgrade sequence as shown in Upgrade Phases to ensure complete Investigate functionality.
The 11.3 Investigate server is installed when you upgrade the SA Server, but Broker hosts need to be upgraded to 11.3 to access the Event Analysis view. If the Broker is not upgraded, analysts see a warning icon next to the Broker, and no data aggregated to that Broker can be displayed.
Mixed mode (that is, some services are upgraded to 11.3 and some are still at 10.6.6.x) also affects the functionality of Role-Based Access Control (RBAC). In mixed mode, when an analyst conducts an investigation, RBAC is not applied uniformly to viewing and downloads. After you upgrade all services to 11.3, when an analyst conducts an investigation, Role-Based Access Control of downloads works consistently to limit access to restricted data.
In mixed mode, if the sdk.packets setting has not been disabled on the 10.6.6.x services, analysts with SDK meta and roles permissions in place to restrict viewing and reconstructing an event's content can download the packet capture (PCAP) file of an event that has content restrictions. Other types of downloads appear to be successful, then generate errors due to insufficient permissions, and the data is still protected.
During a phased update, you can disable the sdk.packets setting on 10.6.6.x services to prevent analysts from downloading any PCAPs or logs. After you update all services to 11.3 and re-enable sdk.packets, RBAC works consistently across all services.
The following table identifies what users with the analysts role can see and download when the NW Server is at version 11.3, and the 11.3 Broker is connected to Concentrators and Decoders at version 10.6.6.x.
The following diagram illustrates the RSA NetWitness® Platform 11.3 upgrade workflow.
Contact Customer Support
Refer to the Contact RSA Customer Support page (https://community.rsa.com/docs/DOC-1294) in RSA Link for instructions on how to get help on RSA NetWitness Platform 11.3.