Azure Upgrade: Preparation Tasks

Document created by RSA Information Design and Development on Apr 12, 2019
Version 1Show Document
  • View in full screen mode

Complete the following tasks to prepare for the upgrade to NetWitness Platform 11.3. These tasks are organized by the following categories.


You must complete these tasks regardless of how you deploy NetWitness Platform and which components you use.

Task 1 - Review Core Ports and Open Firewall Ports

The following table lists new ports in 11.3.

Caution: Make sure that the new ports are implemented and tested before upgrading so that upgrade does not fail due to missing ports.

NW Server Host


Source Host

Destination Host

Destination Ports


NW HostsNW ServerTCP 4505, 4506 Salt Master Ports
NW HostsNW ServerTCP 27017 MongoDB

ESA Host


Source Host

Destination Host

Destination Ports


NW Server,
NW Endpoint,
ESA Secondary
ESA Primary TCP 27017 MongoDB

All NetWitness Platform core ports are listed in the "Network Architecture and Ports" topic in the RSA NetWitness® Platform Deployment Guide in case you need to reconfigure NetWitness Platform services and firewalls. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Task 2 - Record Your 10.6.6.x admin user Password

Record your 10.6.6.x admin user password. You will need it to complete the upgrade.

Task 3 - Create a Backup of /etc/fstab File

Copy the /etc/fstab file from all VMs to your local machine (backup host or remote machine).

Note: You need this file to restore a VM with external storage mounts.

Reporting Engine

(Conditional) Task 4 - Unlink External Storage

If the Reporting Engine has external storage [such as Storage Area Network (SAN) or Network Attached Storage (NAS) for storing reports] you must perform the follow steps to unlink the storage.

In these steps:

  • /home/rsasoc/rsa/soc/reporting-engine/ is the Reporting Engine home directory.
  • /externalStorage/ is where the external storage is mounted.
  1. SSH to the Reporting Engine host and log in with your root credentials.
  2. Stop the Reporting Engine service.
    stop rsasoc_re
  3. Switch to rsasoc user.
    su rsasoc
  4. Change to the Reporting Engine the home directory.
    cd /home/rsasoc/rsa/soc/reporting-engine/
  5. Unlink the resultstore directory mounted to external storage.
    unlink /externalStorage/resultstore
  6. Unlink the formattedReports directory mounted to external storage.
    unlink /externalStorage/formattedReports


Task 5 - Set Data Retention Run Interval to ≥ 24 Hours

In Security Analytics 10.6.x , the Data Retention run interval does not have any minimum value check. In 11.3, RSA added a validation check to make sure that it is run at least every 24 hours. When you upgrade to 11.3, if this value is less than 24 hour, the Respond service will not start.

Complete the following task to ensure that the Respond service starts after upgrading to 11.3.

  1. In Security Analytics 10.6.6.x, go to ADMIN > Services.
  2. Select the Incident Management service, and then select > View > Explore.
  3. In the Incident Management Explore view, go to Service > Configuration > dataRetentionConfiguration.

  4. Make sure that the FrequencyInHours parameter is ≥ 24.

Previous Topic:Introduction
You are here
Table of Contents > Upgrade Preparation Tasks