Best practices for firmware upgrades on QRadar Network Security sensors

Verifying whether a firmware update available for the XGS

There are two ways to verify whether there are new firmware versions available for the XGS:

• Check for firmware updates via SiteProtector Console:
  
  The Update Status column shows new updates for the XGS.
  
  
• Check for firmware updates via Local Management Interface (LMI):
  
  Go to Manage System Settings > Available Updates. The screen shows the available updates if they are ready to install.
  
  
  
  

Is there a required upgrade path for firmware updates on XGS?

No, starting with version 5.2, all firmware updates for XGS are cumulative. The latest version can be installed from any previous version.


Do you have to create a backup before updating XGS firmware?

Having a backup in place before making system changes is a good practice but is not specifically required for firmware updates. Firmware updates are installed on the inactive partition of the appliance. When the upgrade is performed the system changes the inactive partition to active and boots the device with that partition. The previously active partition is set to inactive and acts as a backup.


Are there prerequisites for updating the firmware?

• If the device is managed through SiteProtector, it is strongly recommended that the SiteProtector Database component be updated to the latest version for both content updates and service packs before updating the XGS itself. This ensures that your management system is already prepared to manage the new XGS version.
• If the device is managed through SiteProtector, you should migrate the device's policies in SiteProtector before performing the firmware update. This will ensure that the appliance has the proper policies after the update is complete. Instructions for migrating the policies can be found in Technote: Migrate policies prior to running XGS firmware updates.
• You should ensure that you have a valid license installed.

Is there any downtime during the firmware update process?

Yes, the appliance is rebooted during the firmware update and you might observe traffic interruptions through the protection interfaces. It is recommended that the update be scheduled during a maintenance window.


How much time does the firmware update take to complete?

The time for the firmware update to complete may vary depending on pre-upgrade and post-upgrade activities in the environment. If the upgrade package has already been downloaded beforehand, the time to complete the process will be reduced significantly. It is known that the process may take up to 4 hours to complete in cases where slow network connections delay the update download process.


What are the recommended steps to update the firmware on the XGS sensor?

See Technote: Manually applying updates to the IBM Security Network Protection (XGS) appliance for instructions information on manually applying XGS updates.


How do you monitor the progress of the firmware update?

1. Log in to the XGS using the admin account via SSH connection.
2. Enter following command:
   
   logs tail -F system
   
   This will show the system logs in real time and will allow you to see when the device restarts after the update.
3. On a separate system, initiate a continuous ping to the device to confirm when the device is back up.
4. After several minutes of receiving successful ping responses, connect to LMI and confirm that upgrade is successful.

Is it possible to rollback the firmware update?

Yes, it is possible to rollback the update from the LMI. Go to Manage System Settings > Firmware Settings and click the Set Active option to set your Inactive partition as Active. This will restore the device to the state it was in just prior to the update.


What post update checks should be performed?

• Ensure that traffic is passing through the device.
• Ensure that you are seeing events in the LMI and SiteProtector.
• Verify your policies and configuration.

What do you do if something goes wrong?

Report the issue to IBM Security Support and provide a support file from the sensor for investigation.