IBM Support

IBM QRadar Packet Capture upgrade path (Updated)

Troubleshooting


Problem

Not all IBM QRadar Packet Capture patches are not cumulative, please use a specific install path below to patch your PCAP products.

NOTE: QRadar Network Packet Capture is not the same product as QRadar Packet Capture (two separate products), for Network PCAP upgrades:

Diagnosing The Problem

SSH to your PCAP using custom port 4477. If you have never logged in, the default credentials are:
username: root
password: P@ck3t08..
Once you are logged in:
cat /root/version.txt
The output should be similar to this number:
7.3.0.307
An output that doesn't end in a letter is typically an IBM appliance master.
You might also see some variations of this output, here is why they are different:
7.3.0.307D
An output ending with D means this is an appliance license and is a PCAP DataNode connected to a PCAP Master. You can connect one or two separate PCAP DataNodes to a single PCAP Master.
7.3.0.307-1G
An output ending in -1G output means this PCAP license is a software install on top of customer-provider hardware and RHEL OS.

Resolving The Problem

If /root/version.txt is an appliance master or datanode:
example: 7.3.0.307 or 7.3.0.307D
Then please download .sfs files under fixpacks and interim fix sections of fix central. Both appliances are patched using the same file. There is no separate PCAP Master sfs and then another PCAP DataNode sfs, even though the ISOs used for them are separate. A typical sfs filename would be:
7.3.1-QRadar-PCAP-Build-322.sfs
If /root/version.txt is SOFTWARE only ending in -1G then please apply files from 1G Software Installer or SOFTWARE INSTALLER section of fix central, a typical filename would look like this:
7.3.1-QRadar-PCAP-Build-322-1G.sfs

Administrators are required to patch from their current build until through the upgrade path outlined in this table until you are at the most current version. It is important that administrators do not attempt to skip over versions. QRadar Packet Capture software does not support skipping versions (cumulative updates), unless defined in the upgrade progression table.

Note: If you accidentally skipped over the patch, it may be easier to rebuild the appliance with the latest ISO and start your patching from that point forward.
For the patches that ARE cumulative such as 7.2.7.257 to 7.2.8.279, you can also patch to the specific releases in between such as patching to 7.2.8.277 from 7.2.8.257.

The matrix below only patches APPLIANCES to the latest 7.2.8 version:
Current Build Upgrade Build Notes
7.2.4.220 7.2.4.221 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.4.221 7.2.5.229 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.5.229 7.2.5.230 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.5.230 7.2.6.241 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.6.241 7.2.7.256 Important: Patch 7.2.7.256  requires three reboots to activate the software after the update completes. 
7.2.7.256 7.2.7.257 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.7.257 7.2.8.279 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.8.279 Latest 7.2.8 release on fix central This version is the minimum required QRadar Packet Capture version to be able to upgrade to QRadar 7.2.x software versions. Reboot your appliance after the software update completes.
The matrix below only patches APPLIANCES to the latest version:
Current Build Upgrade Build Notes
7.2.4.220 7.2.4.221 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.4.221 7.2.5.229 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.5.229 7.2.5.230 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.5.230 7.2.6.241 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.6.241 7.2.7.256 Important: Patch 7.2.7.256  requires three reboots to activate the software after the update completes. 
7.2.7.256 7.2.7.257 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.7.257 7.2.8.273 Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.8.273 7.3.1.321 Reboot your QRadar Packet Capture appliance after the software update completes.
7.3.1.321 Latest 7.3.x release on fix central This version is the minimum required QRadar Packet Capture version to be able to upgrade to QRadar 7.3.x software versions. Reboot your appliance after the software update completes.

The matrix below only applies to 1G/SOFTWARE installations

Current Build Upgrade Build Notes
7.2.6.241-G or lower 7.2.7.256-1G Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.7.256-1G 7.2.8.277-1G Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.8.277-1G 7.2.8.278-1G Reboot your QRadar Packet Capture appliance after the software update completes.
7.2.8.278-1G Latest 7.3.x.x-1G release on fix central This version is the minimum required QRadar Packet Capture version to be able to upgrade to QRadar 7.3.x  software versions. Reboot your appliance after the software update completes.

Links
To locate the QRadar Packet Capture software, select the appropriate link for IBM Fix Central:

Where do you find more information?



Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"Component":"Installation;Upgrade;Patching;Patches","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 October 2020

UID

swg21999206