The instructions in this guide apply to the upgrade of virtual hosts to RSA NetWitness Platform11.3 exclusively. See thePhysical Host Upgrade Guide for RSA NetWitness Platform 11.3 for instructions on how to upgrade your 10.6.6.x physical hosts to 11.3.
NetWitness Platform 184.108.40.206 is a major release that affects all products in the NetWitness Platform. The components of the platform are the NetWitness Server (Admin server, Config server, Integration server, Investigate server, Orchestration server, Respond server, Security sever, and Source server), Archiver, Broker, Concentrator, Context Hub, Decoder, Endpoint Log Hybrid, ESA Primary, ESA Secondary, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, UEBA, Warehouse Connector, and Workbench.
Refer to the Getting Started Guide for NetWitness Platform to become familiar with the major changes to the 11.x User interface. Refer to the Deployment Guide to become familiar with the major platform changes in 11.x.
Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
CentOS6 to CentOS7 Upgrade
NetWitness Platform 220.127.116.11 is a major release that involves upgrading to a newer version of the operating system (CentOS6 to CentOS7). In addition, the 18.104.22.168 platform environment has been improved greatly to accommodate current and future physical and virtual deployment types. These changes require an upgrade to the new environment and an upgrade of the functionality.
RSA NetWitness Platform 22.214.171.124 Upgrade Path
The earliest supported upgrade path for RSA NetWitness Platform 126.96.36.199 is Security Analytics 10.6.6.x. 188.8.131.52 is not intended for customers who have already upgraded to the 184.108.40.206 or later release.
- If you are running a version of NetWitness Platform that is prior to 10.6.6.x, you must update to 10.6.6.x before you can upgrade to 220.127.116.11. See the RSA Security Analytics 10.6.6 Update Guide (https://community.rsa.com/docs/DOC-95880) on RSA Link.
- If you are already running 11.3.x.x, upgrade to 18.104.22.168 to ensure that you are running the latest version of the 11.3.x.x platform.
Supported Host Upgrade Path
You must upgrade a host to the same host type:
- Same Series RSA Physical Appliance to Same Series RSA Physical Appliance (that is, Series 4 to Series 4, Series 5 to Series 5).
RSA does not support third-party physical hosts in 22.214.171.124.
- On-Prem Virtual to On-Prem Virtual
Hardware, Deployments, Services, and Features Not Supported in 126.96.36.199
RSA does not support upgrade of the following hardware, deployments, services, and features to 188.8.131.52.
- RSA All-in-One (AIO) Appliance
- Multiple NetWitness Server Deployment
- IPDB service
- Malware Analysis service co-located on the SA Server (upgrade of Malware Analysis Enterprise is supported in 184.108.40.206.)
Standalone Warehouse Connector service (Upgrade of a co-located Warehouse Connector is supported in 220.127.116.11.)
Custom Health & Wellness policy in 10.6.x for the Context Hub Service
After you upgrade to NetWitness 18.104.22.168, your custom policy is not present. In its place, there is the out-of-the-box Context Hub Server Monitoring Policy in the user interface, which is specific for version 22.214.171.124.
- Defense Information Strategic Agency-Security Technical Information Guide (DISA-STIG) hardened deployments.
Warehouse Analytics (Data Science)
Event Stream Analysis (ESA) Upgrade Considerations
In RSA NetWitness Platform 126.96.36.199, RSA changed how ESA Correlation Rules store and transmit the alerts the system generates. In 188.8.131.52, ESA sends all alerts to a central Alert system. The local MongoDB storage in ESA 10.6.6.x has been removed.
Upgrade Considerations for ESA Rule Deployments
After you upgrade to 184.108.40.206, migrated ESA rule deployments have the following changes.
- If an ESA rule deployment contains two services before you upgrade to 220.127.116.11, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version 18.104.22.168.
- If an ESA service has multiple ESA rule deployments before you upgrade to 22.214.171.124, they are combined into one deployment in version 126.96.36.199.
You can still access your old deployments. For a detailed example, see the ESA Configuration Guide for RSA NetWitness Platform 11.3.
RSA recommends that you stagger host upgrades as described in this section. The update to CentOS7 and the need of a physical or iDRAC access cause the 188.8.131.52 upgrade to take more time than most upgrades.
You perform Phase 1 first. You must upgrade the hosts in the following order:
- Security Analytics Server host
- Event Stream Analysis hosts
- Malware Analysis hosts
- Broker hosts (if you do not have a Broker, upgrade your Concentrator hosts)
The 184.108.40.206 NetWitness Server (NW Server) cannot communicate with 10.6.6.x core services for the new Investigate functionality. This is why you must upgrade the Broker or Concentrator hosts in Phase 1.
Upgrade the rest of your hosts.
RSA recommends that you follow the order in Phase 2 to reduce:
- Functionality loss during investigation.
- Downtime that results in the loss of network and log capture.
This is the Phase 2 host upgrade order recommended by RSA.
- Decoder hosts
- Concentrator hosts
- Archiver hosts
Log Collection hosts - Log Collectors on Log Decoder hosts (LDs), Virtual Log Collectors (VLCs) and Legacy Windows Collectors (LWCs)
Before you upgrade a log collection host, you must prepare it for the upgrade. Part of this preparation ensures that no event data remains in the queues. This requires you to keep the downstream destinations of event data (Log Collectors, Virtual Log Collectors and Log Decoders) up and functioning properly.
If you have event data destinations downstream from the Log Decoder, you must prepare and upgrade Log Collectors in the following order.
LDs (one LD at a time)
VLCs and LWCs
If you do not have event data destinations downstream from the Log Decoder, you can prepare and upgrade multiple LDs, VLCs, and LWCs together.
- All other hosts
See "Running in Mixed Mode" under "The Basics" in the RSA NetWitness Platform Hosts and Services Getting Started Guide for:
- Functionality gaps encountered while running in this mode.
- Examples of staggered upgrades.
Phase 3 (Optional)
After you have upgraded all hosts in your deployment to 220.127.116.11, you can install a Warm Standby NW Server. Refer to "Warm Standby NW Server Host" under "Deployment Option Setup Procedures" in the Deployment Guide for NetWitness Platform for 11.3 for instructions on how to set up a Warm Standby NW Server.
Investigate in Mixed Mode
Mixed mode occurs when the NW Server host and Broker hosts are on the latest version (for example, 18.104.22.168) and the other core services such as Concentrators and Decoders are on any older version (for example, 10.6.6.x or 11.1.x.x-11.2.x.x). You must follow the host upgrade sequence as shown in Upgrade Phases to ensure complete Investigate functionality.
The 22.214.171.124 Investigate server is installed when you upgrade the SA Server, but Broker hosts need to be upgraded to 126.96.36.199 to access the Event Analysis view. If the Broker is not upgraded, analysts see a warning icon next to the Broker, and no data aggregated to that Broker can be displayed.
Mixed mode (that is, some services are upgraded to 188.8.131.52 and some are still at 10.6.6.x) also affects the functionality of Role-Based Access Control (RBAC). In mixed mode, when an analyst conducts an investigation, RBAC is not applied uniformly to viewing and downloads. After you upgrade all services to 184.108.40.206, when an analyst conducts an investigation, Role-Based Access Control of downloads works consistently to limit access to restricted data.
In mixed mode, if the sdk.packets setting has not been disabled on the 10.6.6.x services, analysts with SDK meta and roles permissions in place to restrict viewing and reconstructing an event's content can download the packet capture (PCAP) file of an event that has content restrictions. Other types of downloads appear to be successful, then generate errors due to insufficient permissions, and the data is still protected.
During a phased update, you can disable the sdk.packets setting on 10.6.6.x services to prevent analysts from downloading any PCAPs or logs. After you update all services to 220.127.116.11 and re-enable sdk.packets, RBAC works consistently across all services.
The following table identifies what users with the analysts role can see and download when the NW Server is at version 18.104.22.168, and the 22.214.171.124 Broker is connected to Concentrators and Decoders at version 10.6.6.x.
Download with Errors
|Events View||RBAC permitted items||PCAP||File archive (cannot unzip it)|
|Event Reconstruction View||RBAC permitted items||PCAP||File archive (cannot unzip it)|
|Event Analysis View||RBAC permitted items||PCAP||Payload (any option: all payloads, request only, response only)|
Virtual Host Upgrade Workflow
The following diagram illustrates the RSA NetWitness Platform 11.3 Virtual Host upgrade workflow.
Contact Customer Support
Refer to the Contact RSA Customer Support page (https://community.rsa.com/docs/DOC-1294) in RSA Link for instructions on how to get help on RSA NetWitness Platform 11.3.