Special upgrade situations

In special situations, you must take additional steps before or after upgrading.

Situation Action
Installing a new McAfee ESM model Register your hardware within 30 days to ensure that you receive policy, parser, and rule updates as part of your maintenance contract. If you don't register, you can't receive upgrades.

To get your permanent user name and password, email Licensing@McAfee.com with the following information:

  • McAfee grant number
  • Account name
  • Address
  • Contact name
  • Contact email address

Obtaining offline rule updates
  1. Go to http://www.mcafee.com/us/downloads/downloads.aspx.
  2. In the upper right corner, click Download My Products and click Go.
  3. Enter your grant number, type the letters displayed, then click Submit.
  4. Click MFE Enterprise Security Manager, then click MFE Nitro Rules Downloads.
  5. Read the license agreement, then click I Agree.

    The available update files appear by ESM version.

  6. Download the rules for the version of your ESM.
Resolving device communication issues If you upgraded a McAfee device prior to upgrading the ESM) or the ESM is in the middle of upgrading, this message might appear: The device needs to be upgraded to 9.6.0 before the operation can be performed. Verify that the ESM has the correct version.
  1. On the ESM console, select the device in the system navigation tree, then select the Properties icon.
  2. Click Connection, then click Status.
  3. Retry the operation that resulted in the message.
Upgrading a redundant ESM

Upgrade the primary ESM first, then upgrade the redundant ESM.

  1. On the primary ESM, select the ESM on the navigation tree and click the Properties icon.
  2. Click Events, Flows & Logs and deselect Auto check interval.
  3. After upgrading the redundant ESM, re-enable the collection of events, flows, and logs on the primary ESM.
McAfee ePO with Policy Auditor If the McAfee ePO device is already on the ESM, you must refresh it. Refreshing registers Policy Auditor as a VA source, which in turn allows Policy Auditor to be written to vathirdparty.conf.
  1. If you are not on an all-in-one device, upgrade the Receiver where the McAfee ePO device is connected.
  2. On the ESM console, click ePO PropertiesDevice Management, then click Refresh.
    Note: You can set up auto-retrieval on the Device Management tab.
  3. Click Receiver Properties, then click the Vulnerability Assessment tab.
  4. Click Write.
  5. Repeat step 2 to get VA data on the ESM.
  6. Log off the ESM console, then log back in.
Upgrading High Availability (HA) Receivers

Before you upgrade, set your preferred primary Receiver to No Preference, which allows you to use the Fail-Over option.

The upgrade process requires the user to upgrade the secondary Receiver, click Fail-Over, then upgrade the new secondary Receiver. In this way, a primary Receiver is collecting data throughout the process, ensuring minimal data loss. After you upgrade both Receivers, reapply your preferred primary Receiver.

Rebuilding the ELM management database

Indexing your ELM management database might require additional time, depending on your ELM model. For example, the number of storage pools you have, the amount of data sent from logging devices, and your network bandwidth can increase the time it takes to complete the indexing.

However, this background task minimally impacts your performance and, when complete, provides improved querying on your historical data.

To check the status of the rebuild, go to ELM Properties | ELM Information. If the message Database is rebuilding appears in the Active Status field, do not stop or start the ELM database. The system indexes all new ELM data on the sending device before sending that data to the ELM.

If you have Receivers logging to the ELM and they are near maximum capacity, contact Technical Support.

Upgrading a redundant ELM

Upgrade the standby ELM first, then upgrade the active ELM.

The upgrade process suspends the ELM redundancy. After upgrading both ELMs, you must restart the ELM redundancy.

  1. Upgrade the standby ELM.
  2. Upgrade the active ELM.
  3. On the system navigation tree, select the standby ELM and go to ELM Properties | ELM Redundancy, then click Return to Service.
  4. Go to ELM Properties | ELM Information and click Refresh. Both the active and standby ELMs display an OK status.
  5. If the standby ELM displays a Not OK status, click Refresh again. After a few minutes, the standby ELM status changes to OK, redundant ELM rsync is 100% complete. You might need to click Refresh several times.