Important requirements and considerations

Review these important requirements carefully before you proceed with the upgrade.

  • This document provides information on how to upgrade from Network Security Platform versions 8.1, 8.3, and 9.1 to version 9.2. See the corresponding upgrade guide and release notes to first upgrade to the minimum required version for 9.2, if you are on a version other than the ones mentioned here. Consider that your current version is in the 8.1 release train but your current version is not supported for upgrade to 9.2. See the latest Network Security Platform 8.1 Upgrade Guide and upgrade to the latest 8.1 version before you upgrade to 9.2.
  • The minimum required software versions to upgrade to 9.2 are provided in the following sections:
  • After you upgrade the Central Manager or the Manager to 9.2, you might be prompted to restart the server. If prompted, it is highly recommended that you restart the server.
  • Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But from JRE version 1.8.0_153, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6.
    Note: The 9.2 Manager server does not come bundled with client-side JRE. However, your network might have devices that run pre-8.3 software versions that you intend to manage with an 8.3 Manager. In such circumstances, you must download the latest version of JRE.
  • If you have IPv6 Sensors behind a firewall, you must update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. This applies to a local firewall running on the Manager server as well. You must complete updating your firewall rules before you begin the 9.2 upgrade.
  • Following are the ports that are used for Sensor-to-Manager communication in release 9.2. Before you begin the 9.2 upgrade process, make sure that your firewall rules are updated accordingly to open up the required ports. This applies to a firewall that resides between the Sensor and the Manager (including a local firewall on the Manager server).
    Port # Protocol Description Direction of communication
    8501 TCP Proprietary (Bulk file transfer channel for 2048-bit and SHA256 certificates) Sensor-->Manager
    8502 TCP Proprietary (Bulk file transfer channel for 2048-bit and SHA256 certificates) Sensor-->Manager
    8503 TCP Proprietary (Bulk file transfer channel for 2048-bit and SHA256 certificates) Sensor-->Manager
    8506 TCP Proprietary (install channel for 2048-bit certificates). For information on 2048-bit certificates, see Migration from SHA1 to SHA256 signing algorithm Sensor-->Manager
    8507 TCP Proprietary (alert channel/control channel for 2048-bit and SHA1 certificates) Sensor-->Manager
    8508 TCP Proprietary (packet log channel for 2048-bit and SHA1 certificates) Sensor-->Manager
    8509 TCP Proprietary (Bulk file transfer channel for 2048-bit and SHA1 certificates) Sensor-->Manager
    8510 TCP Proprietary (Bulk file transfer channel for 2048-bit and SHA256 certificates) Sensor-->Manager