Complete the following tasks to prepare for the upgrade to NetWitness Platform 11.3. These tasks are organized by the following categories.
You must complete these tasks regardless of how you deploy NetWitness Platform and which components you use.
Task 1 - Review Core Ports and Open Firewall Ports
The following table lists new ports in 11.3.
NW Server Host
All NetWitness Platform core ports are listed in the "Network Architecture and Ports" topic in the RSA NetWitness® Platform Deployment Guide in case you need to reconfigure NetWitness Platform services and firewalls. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Task 2 - Record Your 10.6.6.x admin user Password
Record your 10.6.6.x admin user password. You will need it to complete the upgrade.
Task 3 - Create a Backup of /etc/fstab File
Copy the /etc/fstab file from all VMs to your local machine (backup host or remote machine).
(Conditional) Task 4 - Unlink External Storage
If the Reporting Engine has external storage [such as Storage Area Network (SAN) or Network Attached Storage (NAS) for storing reports] you must perform the follow steps to unlink the storage.
In these steps:
- /home/rsasoc/rsa/soc/reporting-engine/ is the Reporting Engine home directory.
- /externalStorage/ is where the external storage is mounted.
- SSH to the Reporting Engine host and log in with your root credentials.
- Stop the Reporting Engine service.
- Switch to rsasoc user.
- Change to the Reporting Engine the home directory.
- Unlink the resultstore directory mounted to external storage.
- Unlink the formattedReports directory mounted to external storage.
Task 5 - Set Data Retention Run Interval to ≥ 24 Hours
In Security Analytics 10.6.x , the Data Retention run interval does not have any minimum value check. In 11.3, RSA added a validation check to make sure that it is run at least every 24 hours. When you upgrade to 11.3, if this value is less than 24 hour, the Respond service will not start.
Complete the following task to ensure that the Respond service starts after upgrading to 11.3.
- In Security Analytics 10.6.6.x, go to ADMIN > Services.
- Select the Incident Management service, and then select > View > Explore.
In the Incident Management Explore view, go to Service > Configuration > dataRetentionConfiguration.
- Make sure that the FrequencyInHours parameter is ≥ 24.