Troubleshooting
Problem
Prior to running firmware updates on a Security Network Protection (XGS) device, you should migrate your policies in SiteProtector to the new version.
Cause
In certain firmware updates, there may be schema changes which are not compatible between different versions.
Diagnosing The Problem
When the schemas change between the versions and a policy migration was not completed prior, the affected policies in SiteProtector show up as Not Deployed. Alternatively, you might see the appliance go into an Active with Errors state, depending on which schemas actually changed. When this behavior is seen, run the Policy Migration tool to migrate your policies from the previous version to the new version.
Note: When this happens, the appliance is still running with the migrated policy and continues to function normally. This issue is only seen in SiteProtector as you are unable to manage the policies whose schemas changed.
Identifying incompatible policies between firmware versions
To determine exactly which policies need migrated between different firmware versions, you can look at the Agent Versions column in the Policy view to see the compatibility. Below is an example of how this works. In this example, we are upgrading from firmware 5.3.1.4 to 5.3.2.1.
- Right click the agent you are upgrading from the Agent view and click Manage Policy.
Note: If you have already performed the upgrade to the new firmware version, you need to change the Agent Version drop-down to the previous version once the Policy view loads. - In the Policy view, find the Active Deployments pane for the XGS.
- Look at the Agent Versions column. If you do not see the firmware version that you will be upgrading to, then it is not compatible with the new version. You must migrate the policies for this policy to be managed properly from SiteProtector. In the screen capture below, you can see the two policies that are not compatible with 5.3.2.1:
The remaining policies all have 5.3.2.1 listed as a compatible policy. - You can also look at the Shared Objects for these, . Expand the Repository and click Shared Objects.
- Compare the Agent Versions field for the incompatibilities. In this example, Intrusion Prevention and URL Categories are not compatible with 5.3.2.1:
Resolving The Problem
To avoid running into this issue, it is best to run the Policy Migration tool before running the firmware update. This ensures that all the deployed policies are properly migrated to the new version. To do this, follow the instructions below:
Notes:
Important: This procedure only migrates policies that are deployed at the group level. If policies are deployed at the agent level, you need to deploy them to a temporary group that contains no sensors before following the instructions. After the migration, you can deploy the policies back to specific agents.
Once the migration completes, you should see your policies listed in the new firmware version. At this point, you can upgrade the firmware without running into any schema issues.
Notes:
- You can run this migration after the firmware is completed, but you will experience the symptoms in the Diagnosing the problem field.
- Before running the migration, be sure to update your SiteProtector Database to the latest Service Pack level to ensure that the SiteProtector Console has the latest schemas to support the new firmware version.
- After the migration completes, the newly converted policies will start at version 1.
Important: This procedure only migrates policies that are deployed at the group level. If policies are deployed at the agent level, you need to deploy them to a temporary group that contains no sensors before following the instructions. After the migration, you can deploy the policies back to specific agents.
- Open the SiteProtector Console and go to the Policy view.
- Right-click the group that contains your XGS policy deployments and select Migrate Agent Policy Version....
- In the Details section, set the Agent Type field to IBM Security Network Protection.
- In the Upgrade Details section, set the Migrate From Firmware Version field to your current version. Then, set the Update To Firmware Version to the firmware version you are upgrading to. In this example, we are currently running 5.3.0.6 and are upgrading to 5.3.1.0.
Note: You can enable the Force affected agents to heartbeat check box if you want the agents to immediate heartbeat in and get the migrated policies. - Click OK to start the migration.
Once the migration completes, you should see your policies listed in the new firmware version. At this point, you can upgrade the firmware without running into any schema issues.
[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Firmware","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
08 March 2021
UID
swg21959896