Upgrade Deep Security Manager

Upgrade Deep Security Manager before you upgrade Deep Security Relays, Agents, and Virtual Appliances.

Topics:

Before you begin
Upgrade the manager
Upgrade the manager if it's old
Upgrade the manager in a multi-node deployment
Upgrade the manager in a multi-tenant environment
What happens when you upgrade?
Post-upgrade tasks
Troubleshoot the manager upgrade (log files)
Roll back an unsuccessful upgrade of the manager

Before you begin

Complete these tasks before you upgrade the manager:

Check that you're upgrading from a supported version. For details on supported versions, see Supported upgrade paths.
Back up your deployment:
- Back up the manager. Make a system restore point or VM snapshot of the server.
- Back up the manager's database on the database server. The upgrade might make changes to the database schema, so the original database must be backed up.
- Verify your backups. If you don't have backups, and the installer is interrupted for any reason, you won't be able to revert your deployment. This could require you to re-install your entire deployment.

Check system requirements and sizing guidelines for the new manager: See System requirements and Sizing.

Note

The sizing guidelines for Deep Security 20 are different from those for Deep Security 12. Check that your current environment meets the guidelines for Deep Security 20 before upgrading.

Download the manager software: It's available at https://help.deepsecurity.trendmicro.com/software.html.
Check the digital signature on the manager's installer file: See Check the signature on installer files (EXE, MSI, RPM or DEB files).
Run the readiness check: See Run a readiness check.

Upgrade the manager

To upgrade the manager, see Install the manager. The referred-to installation instructions will work equally well for upgrades.

Note

When upgrading from Deep Security 11, if you use Microsoft SQL Server, a data migration step has been added to the installer because the primary key of various tables, including System Events, have been updated from Integer to BigInt in order to avoid reaching the maximum integer value.

Maintenance windows might need to be longer in some cases. Time required varies by database load, network bandwidth and latency, and the number of existing system events to migrate. Estimate 50,000 - 150,000 system events per minute.

Upgrade the manager if it's more than two releases old

The manager's installer only supports upgrading from two major releases back, so if you're currently on a manager version that's older than that, the upgrade path involves a couple of 'hops': the first hop gets to a version that's a little more recent, and the next gets you to the latest version.

For instructions on how to upgrade from an old manager to a newer one, see the installation guide for the latter:

Get documentation for other versions

Upgrade the manager in a multi-node deployment

To upgrade the manager

Back up each manager node. Make a system restore point or VM snapshot of the server.
Stop all nodes.

Upgrade the manager on the first node.

WARNING

Never run the installer on multiple nodes at the same time. Simultaneous upgrades can corrupt the database. If this happens, you must restore the database backup, and then start the upgrade again.

When upgrade is complete for the first node, its service will start. Until other nodes are also upgraded, it will be the only node whose software is compatible with the database, so initially it will be the only available manager. Because it must perform all jobs, you might notice that performance is reduced during this time. On Administration > System Information, Network Map with Activity Graph will indicate that other nodes are offline, and that they require an upgrade.
Upgrade other nodes. As you upgrade them, they will return online, and begin to share the load again.
If you configured a custom master key, run the masterkey commands to encrypt existing data on only one of the nodes.

To upgrade the manager OS

Add a new node so that your deployment still has at least one available node while you upgrade old nodes. See Add a node.
Decommission the old nodes. See Remove a node.
Upgrade the OS of decommissioned nodes.
Re-install Deep Security Manager on the old node. This re-connects the node to the existing installation.

Upgrade the manager in a multi-tenant environment

See Upgrade a multi-tenant environment for details.

What happens when you upgrade?

When you upgrade, the installer does the following:

installs new Deep Security software
keeps existing computer details, policies, intrusion prevention rules, firewall rules, and so on
migrates data to new formats, if required
makes changes to the database schema, if required
begins migrating event data

When you exit the installer, the upgrade continues. The following occurs:

The manager service restarts.
The manager continues to migrate event data into the new database schema.

Progress is indicated in the status bar at the bottom of the window, in new events, and (if an error occurs) alerts. Total migration time varies by the amount of data, disk speed, RAM, and processing power.
New event data is still recorded, as usual, while the event data is migrated.

Note

Until database upgrade migration is complete, results which include older system event data may be incomplete.

Additional tasks are performed during a multi-node or multi-tenant upgrade. For details, see Upgrade the manager in a multi-node deployment and Upgrade the manager in a multi-tenant environment.

Post-upgrade tasks

After the upgrade, you may choose to complete the following tasks:

Replace the server certificate: After the upgrade, the manager's server certificate is kept, unless you performed a fresh install. If your certificate was created using a weak cryptographic algorithm, such as SHA-1, consider replacing the certificate. Using stronger cryptography ensures compliance with the latest standards, and provides better protection against the latest exploits and attacks. See Replace the Deep Security Manager TLS certificate.

After the upgrade, the manager's server certificate is kept, unless you performed a fresh install. If your certificate was created using a weak cryptographic algorithm, such as SHA-1, consider replacing the certificate. Using stronger cryptography ensures compliance with the latest standards, and provides better protection against the latest exploits and attacks. See Replace the Deep Security Manager TLS certificate.

Troubleshoot the manager upgrade (log files)

If the schema changes are interrupted for any reason, errors are logged in:

<install-directory>/DBUpgrade/SchemaUpdate

where the default <install-directory> is /opt/dsm (Linux) or C:\Program Files\Trend Micro\Deep Security Manager (Windows).

Within the above directory, two types of files are created:

T-00000-Plan.txt - This file contains all data definition language (DDL) SQL statements that the installer will use to update the schema.
T-00000-Progress.txt - This file contains the schema update progress logs. When the installer is finished, it changes the file name to either T-00000-Done.txt (successful update) or T-00000-Failed.txt (update failure).

Note

In a multi-tenant environment, the "00000" in the file name is replaced with the tenant number, such as "00001" for tenant t1.

Roll back an unsuccessful upgrade of the manager

If problems occur when you upgrade to Deep Security Manager , you can quickly revert to a functional state if you:

Backed up the database before the upgrade
Didn't upgrade the agents, relays, or virtual appliances yet (or have VM snapshots or system backups that you made before the upgrade)

Stop the Deep Security Manager service.
Restore the database.
Restore all Deep Security Manager server nodes.
If you changed the hostname, FQDN, or IP address of the Deep Security Manager during the upgrade, restore them.
Restore the agents, relays, and virtual appliances.
Start the Deep Security Manager service.
Verify connectivity to the Deep Security Manager, including the connection between the manager and agents.