Chicago (Midwest) Data Loss Prevention User Group

 View Only

  • 1.  DLP 11 upgrade: any tips or tricks, comments, known issues

    Posted Apr 28, 2011 12:44 PM

    Hi All,

    We are planning to upgrade DLP from 9 to 10 and then 10 to 11, also Oracle database 10 to 11g. I am wondering if any one is aware of any issues/complexity with DLP or Oracle upgrade in general. Is there any thing to look out for? Any recommendation for upgrade procedures, tips and tricks to make the upgrade go smoother?

    Thanks.

    Muhammad Azam

    HSBC



  • 2.  RE: DLP 11 upgrade: any tips or tricks, comments, known issues

    Posted May 03, 2011 08:24 PM

    I'd seriously consider the use of professional services for this operation.  Not trying to use this forum for drumming up services work, but yes, there are complexities, gotcha's, and planning and preparation for this endeavor that a qualified professional services partner will be able to help you out with.

    Not knowing the details of your specific implementation, it would be impossible to say here what you might encounter. 

    And if I can be of assistance, please feel free to reach out to me directly.

    ~Keith



  • 3.  RE: DLP 11 upgrade: any tips or tricks, comments, known issues

    Posted May 05, 2011 11:47 AM

    What I did for this was as following:

     

    a) opened a ticket with Symantec Support.

    b) Asked their engineer to go over the environment (linux Red Hat) and see if any issues with the software is needed to be fixed.

    c) Started reading the documentation.

    d) Had no issues when followed the instructions, I made the 11g work with 300 gigs of hard drive space instead of 500.

    e) The easy part for me was to ignore all existing policies and scans cause the old set up was a test environment and this helped in brute forcing the installs....:)

    f) I did save the old policies just in case, the xml files for templating the new fresh ones.

    g) Kept the ticket open with symantec for a week, just in case, and used to update the ticket via emails every day and requested the same engineer every time I called them, to clarify some points in the documentation.

    h) we were confused of how to move from 10.x to 11 for a day but later on decided to do a direct install of 11 and not to upgrade from 10.x etc....this was agreed upon by the symantec support too...

    This install on Linux was more complicated but once the install environment is set, its all a matter of unzip and install and follow the documentation on a handfull of options. Mostly default...

     



  • 4.  RE: DLP 11 upgrade: any tips or tricks, comments, known issues

    Posted May 06, 2011 03:45 PM

    Thank you.



  • 5.  RE: DLP 11 upgrade: any tips or tricks, comments, known issues
    Best Answer

    Posted May 09, 2011 01:03 PM

    We recently went from 9 to 11.1 in a Windows environment. Key preparatory steps were to:

    Verify free disk space on all boxes to be upgraded.

    Get the very latest v11 install/upgrade packages. There was apparently an issue with earlier ones.

    Upgrade all instances of WinPcap on DLP servers to latest (v4.12 when we upgraded).

    On Windows-based Network Monitor servers with Endace cards, we were told specifically to not upgrade the Endace software to the latest. For our DAG-4 cards, we stayed on Endace v3.3.1.

    Make sure that Oracle was at version 10.2.0.4 (higher may be supported, but we were at 10.2.0.4), and that it used the correct character set (AL32UTF8). If it was set up properly in the first place, using the scripts/template packaged with Vontu, it should already use this, but ours had to be changed. There's a sql script in the upgrade_9_to_10 package to check and report the characterset in the upgrade software, with instructions in the documentation.

    There are two Oracle "alter system" commands that need to be run. They're in the upgrade instructions.

    In the full installation software for v11/11.1, there is an oracle_create_user.sql script. Get your DBA to run all the "grant" statements in that script, using the appropriate Vontu db username, before you start the upgrade from v9. That will set/ensure db permissions that the Vontu account will need.

    Ensure that all people who will access the upgraded Enforce console are using Internet Explorer 7 or higher, or FireFox 3 (but not 4). Other browsers, or other versions of these browsers, won't work.

    Have one .slf license file for v10 ready at hand. The upgrade from v9 to v10 will require it before you can proceed beyond the first steps. Any of the v10 slf files should work. The remainder can be entered after the upgrade is complete.

    Plan to upgrade everything from v9 to v10, then do a separate pass to upgrade from v10 to v11.

    Other preparation steps are in the upgrade guides, and are straightforward.

    After the upgrade, we noticed several issues -

    Reports with very large numbers of incidents wouldn't display, and we were getting a system error message. This turned out to be an Oracle issue, and fixable with a workaround setting, a patch, or an upgrade to v10.2.0.5 or higher.

    Network Monitor servers (Win 2003 R2 SP 2) with Endace cards needed the following appended to boot.ini (and then rebooting) to restore operation:  /3GB /Userva=3030

    Recipient domains used as policy exceptions in email policies had to be prepended with the @ sign for accurate, consistent recognition. Unfortunately, this can prevent much normal domain "wildcarding".

    System event alerts stopped functioning, even after setting up new alerts using the event codes of v10+. Email notifications sent as part of automated responses, and emailing of reports, appear to work just fine. We're still working with tech support to resolve this one.

    Hope this helps...



  • 6.  RE: DLP 11 upgrade: any tips or tricks, comments, known issues

    Broadcom Employee
    Posted May 16, 2011 08:59 PM

    So detailed your steps!