IBM Support

QRadar: Software upgrade progression for QRadar appliances

Question & Answer


Question

This document defines what software 'Fix Packs' required to upgrade the software on an IBM Security QRadar appliance from any patch / version to the latest software.

Answer

Upgrade progression for IBM Security QRadar products

This page defines the upgrade progression for QRadar products. The intent of this page is to provide the current version and define the software installations required to upgrade your QRadar® appliance to the latest version. The basic installation instructions, file names, file types, and any additional notes are provided.

NOTE: To find a master list of all software versions and release notes, see: http://ibm.biz/qradarsoftware.

Before you begin


The table below provides a list of software versions and links to the software required to complete a software update. Installations can require either an ISO file or a SFS file to upgrade. The file type and a direct link is provided to assist with selecting the proper file for the software upgrade. Administrators can use the table below to understand how to update their appliances to the latest software version. Column 1 defines the current software version installed on the appliance and column 2 indicates the software that must be installed to progress to the next software level.

Row
1. Console software version2. Updates to this versionDownload
Notes
1
QRadar 6.3.1
(6.3.1.138355 to 6.3.1.259809)
QRadar 7.0 MR5 Patch 2 (7.0.0.342942)Software ISOAbout: To update from 6.3.1 to 7.0MR5, we suggest that customers use an ISO file to update to QRadar 7.0 MR5 Patch 2. The installation requires the administrators to mount an ISO file and run the pretest and software update to ensure the minimum requirements are met for the upgrade. The upgrade must be first installed on the Console, then on each managed host in the deployment until all appliances are at the same software version.

Release Notes: QRadar 7.0 MR5 Upgrade Guide.

Before you begin: The upgrade from QRadar 6.3.1 to 7.0 MR5 includes multiple user interface updates, along with an installation menu to determine how to migrate data based on updates to the security template. Specific changes are outlined in the documentation. Administrators must review the upgrade guide to understand the changes before they start the upgrade process. The following page outlines the tuning template update options provided to administrators: Tuning template options for 6.3.1 to 7.0 upgrades.

Note for HA users with offboard storage: Before an administrator attempts to upgrade a High-availability (HA) pair with offboard storage the administrator must break the HA pairing by using the Admin tab > System and License Management in the user interface. After the upgrade is complete, the administrator can reconnect the primary and secondary appliances to recreate the HA pair.

What to do next:
- If you plan to stay at software version 7.0 MR5, we suggest that administrators apply the latest fix pack to receive software fixes and vulnerability updates. See row #3 for information on applying the latest fix pack for QRadar 7.0 MR5.

- If you want to upgrade to a version beyond 7.0 MR5, then you can proceed to row #4 to upgrade your deployment to QRadar 7.1.
2
QRadar 7.0 initial release to
7.0 MR4
(7.0.0.164099 to 7.0.0.276729)
QRadar 7.0 MR5 Patch 1 (7.0.0.325222)Fix packAbout: If your system is already at QRadar 7.0, but at a version below 7.0 MR5, you must apply a fix pack to get to a version of QRadar 7.0 MR5 that can be upgraded. The release notes for the latest fix pack are listed with the software download.

Before you begin: Fix packs are capable of updating the entire deployment to the latest software version with the patch all option. You must update all appliances in the deployment to the same software version to avoid issues and ensure they communicate properly.

What to do next:
- If you plan to stay at software version 7.0 MR5, we suggest that administrators apply the latest fix pack to receive software fixes and vulnerability updates. See row #3 for information on applying the latest fix pack for QRadar 7.0 MR5.

- If you want to upgrade to a version beyond 7.0 MR5, then you can proceed to row #4 to upgrade your deployment to QRadar 7.1 MR2 Patch 3.
3
QRadar 7.0 MR5 Patch 1 or above (7.0.0.325222 to 7.0.0.xxxxxx)QRadar 7.0 MR5 LatestFix packAbout: To update from 7.0MR5 Patch 2 to the latest version of QRadar 7.0 MR5 software version, administrators can download and apply the most recent fix pack. The release notes for the latest fix pack are listed with the software download.

What to do next: If in the future you want to upgrade to a version beyond 7.0 MR5, then you can proceed to row #4 to upgrade your deployment to QRadar 7.1.
4
QRadar 7.0 MR5 Patch 2 or above (7.0.0.342942 - 7.0.0.xxxxxx)QRadar 7.1 MR2 Patch 3 (7.1.0.682020)Software ISOAbout: Customers at QRadar 7.0 MR5 can use an ISO to update their system to QRadar 7.1 MR2. There is no need to install 7.1 MR1 software before progressing to QRadar 7.1 MR2. The QRadar 7.1 MR2 update must be run on the Console, then on each managed host in the deployment. The documentation outlines this process and the required appliance upgrade order.

Release Notes: QRadar 7.1 MR2 Upgrade Guide

Before you begin: The QRadar 7.1 MR2 Upgrade Guide includes suggested memory updates that Administrators might want to consider before they begin their upgrade. The suggested memory was added to ensure performance expected by QRadar users is maintained with the scope of new features made available in the product.

Note for HA users with offboard storage: Before an administrator attempts to upgrade a High-availability (HA) pair with offboard storage the administrator must break the HA pairing by using the Admin tab > System and License Management in the user interface. After the upgrade is complete, the administrator can reconnect the primary and secondary appliances to recreate the HA pair.

What to do next:
- If you plan to stay at software version 7.1 MR2, we suggest that you also apply the latest fix pack to ensure that you have the latest fixes for your software version. See row #5 for information on applying a fix pack for QRadar 7.1 MR2 Patch 5.

- If you want to upgrade to a version beyond 7.1 MR2, then you can proceed to row #6 to upgrade your deployment to the next software version.

If you are going to stop updating at this QRadar version, the administrator should review IBM Fix Central to determine if any Interim Fixes are available. To view Interim Fixes for older software patches, expand the Show superseded fixes option to view all available Interim Fixes. To look for Interim Fixes and review the release notes, see Interim Fix.
5
QRadar 7.1.0 initial release to 7.1 MR2 Patch 4 (7.1.0.380596 to 7.1.0.752774)QRadar 7.1 MR2 (Latest Patch Available)

We always recommend administrators install the latest patch version available as it has the most recent code and fixes available.
Fix packAbout: To update to the latest version of QRadar 7.1 MR2 software, administrators can download and apply the most recent fix pack. The release notes for the latest fix pack are listed with the software download.

Before you begin: Fix packs are capable of updating the entire deployment to the latest software version with the patch all option. You must update all appliances in the deployment to the same software version to avoid issues and ensure they communicate properly. The QRadar 7.1 MR2 Upgrade Guide includes suggested memory updates that Administrators might want to consider before they begin their upgrade. The suggested memory was added to ensure performance expected by QRadar users is maintained with the scope of new features made available in the product.

Installation Note: A mount directory instruction changed in this upgrade, which might be difficult to notice. The correct mount directory is /isos, not /iso as defined in some older upgrade guides. If the mount point is /iso, then an installation error can be displayed.

What to do next: If you want to upgrade from QRadar 7.1MR2 to QRadar 7.2.4 latest, then you can proceed to row #6 or 7, dependning on the current patch version to upgrade your deployment to the next software release.
6
QRadar 7.1 MR2 (Patch 1-9)

QRadar 7.2.4 Patch 5

Fix packAbout: QRadar 7.2. and above are the first product versions that allow QRadar upgrades by fix pack installations. Administrators at QRadar 7.1 MR2 and above can now use the latest fix pack to upgrade their deployment to the most current software release. We always recommend administrators install the latest patch version available as it has the most recent code and fixes available.

Release Notes: QRadar 7.2 MR1 Upgrade Guide

Installation Note: Administrators should review the minimum memory requirements for their appliances before starting an upgrade. 7.2 MR1 Patch 2 is the first version to enforce a minimum memory requirement. If an appliance in the deployment cannot be upgraded due to memory requirements it can prevent that appliance from being properly added back to the deployment because the software version might be out-of-sync with the Console and other appliances. If you have an appliance that does not meet the minimum memory requirements, you can choose to install QRadar 7.2 MR1 Patch 1 (7.2.1.694499) instead.

Before you begin: The upgrade from QRadar 7.1MR2 to QRadar 7.2.4 (latest) includes a menu option administrators should read and understand before starting their upgrade. This menu provides options on how to handle asset data as updates were made to the asset model. When the administrator installs the fix pack, they are prompted to select an upgrade option for their existing asset data. For information, see the upgrade guide or Upgrading QRadar from 7.1 to 7.2: Options for migrating asset data.

What to do next: If you want to upgrade from QRadar 7.2.4 (latest) to QRadar 7.2.5, then you can proceed to row #9 to upgrade your deployment to the next software version.
7
QRadar 7.1 MR2 Patch 10,11, or 12

***IMPORTANT***: If you are on 7.1 MR2 Patch 10, 11, or 12, you must upgrade to QRadar 7.2.4 Patch 6 per APAR IV79451. For more information, see: Upgrading and APAR IV79451.
QRadar 7.2.4 Patch 6

Fix packAbout: QRadar 7.2. and above are the first product versions that allow QRadar upgrades by fix pack installations. Administrators at QRadar 7.1 MR2 and above can now use the latest fix pack to upgrade their deployment to the most current software release. We always recommend administrators install the latest patch version available as it has the most recent code and fixes available.

Release Notes: QRadar 7.2 MR1 Upgrade Guide

Installation Note: Administrators should review the minimum memory requirements for their appliances before starting an upgrade. 7.2 MR1 Patch 2 is the first version to enforce a minimum memory requirement. If an appliance in the deployment cannot be upgraded due to memory requirements it can prevent that appliance from being properly added back to the deployment because the software version might be out-of-sync with the Console and other appliances. If you have an appliance that does not meet the minimum memory requirements, you can choose to install QRadar 7.2 MR1 Patch 1 (7.2.1.694499) instead.

Before you begin: The upgrade from QRadar 7.1MR2 to QRadar 7.2.4 (latest) includes a menu option administrators should read and understand before starting their upgrade. This menu provides options on how to handle asset data as updates were made to the asset model. When the administrator installs the fix pack, they are prompted to select an upgrade option for their existing asset data. For information, see the upgrade guide or Upgrading QRadar from 7.1 to 7.2: Options for migrating asset data.

What to do next: If you want to upgrade from QRadar 7.2.4 Patch 6 to a later version of QRadar, you must upgrade to 7.2.6 Patch 3 or above. For more information, see: Upgrading and APAR IV79451.

If you are going to stop updating at this QRadar version, the administrator should review IBM Fix Central to determine if any Interim Fixes are available. To view Interim Fixes for older software patches, expand the Show superseded fixes option to view all available Interim Fixes. To look for Interim Fixes and review the release notes, see Interim Fix.
8
QRadar 7.2.0 (7.2.0.636622) or aboveQRadar 7.2.4 (Latest Patch Available)


Note: You must update to QRadar 7.2.4 (any patch level) before you can upgrade directly to QRadar 7.2.5.
Fix packAbout: If your system is already at QRadar 7.2.x (any version), then the administrator can apply a fix pack to update their system to 7.2.4. We always recommend administrators install the latest patch version available as it has the most recent code and fixes available.

Release Notes: The release notes for the latest fix pack are listed below the software download on IBM Fix Central.

Before you begin: Fix packs are capable of updating the entire deployment to the latest software version with the patch all option. You must update all appliances in the deployment to the same software version to avoid issues and ensure they communicate properly. The QRadar 7.2.4 Upgrade Guide includes suggested memory updates that Administrators might want to consider before they begin their upgrade. The suggested memory was added to ensure performance expected by QRadar users is maintained with the scope of new features made available in the product.


What to do next: If you want to upgrade from QRadar 7.2.4 (latest) to QRadar 7.2.5, then you can proceed to row #9 to upgrade your deployment to the next software version.

If you are going to stop updating at this QRadar version, the administrator should review IBM Fix Central to determine if any Interim Fixes are available. To view Interim Fixes for older software patches, expand the Show superseded fixes option to view all available Interim Fixes. To look for Interim Fixes and review the release notes, see Interim Fix.
9
QRadar 7.2.4 (any patch level)QRadar 7.2.5 (Any Patch Level)

QRadar 7.2.6 (Latest)

OR

QRadar 7.2.7 (Latest)

OR

QRadar 7.2.8 (Latest)
QRadar 7.2.5 Patch 6:
QRadar 7.2.6:
QRadar 7.2.7

QRadar 7.2.8
About: Administrators who are on QRadar 7.2.4 have to option to update to any of the following versions:
  • QRadar 7.2.5 (Any Patch Level)
  • QRadar 7.2.6 (Any Patch Level)
  • QRadar 7.2.7 (Any Patch Level)
  • QRadar 7.2.8 (Any Patch Level)
Release Notes: The release notes for the latest fix pack are listed below the software download on IBM Fix Central.

Before you begin: Fix packs are capable of updating the entire deployment to the latest software version with the patch all option. You must update all appliances in the deployment to the same software version to avoid issues and ensure they communicate properly. Depending on the version you plan to upgrade to, either: QRadar 7.2.5, QRadar 7.2.6, or QRadar 7.2.7, you should review the proper upgrade guide for that product.

Fixed Issues: Fixed Issues list by QRadar version
QRadar Documentation: All QRadar documentation (all product versions)
Upgrade Guides:



I was affected by APAR IV79451 and see this issue is now resolved. What is the upgrade path from QRadar 7.1 MR2 Patches 10,11, or 12 to QRadar 7.2.6?
Administrators who were affected by the upgrade issue in QRadar 7.1 MR2 (Patch 10, 11, and 12) can now update to the QRadar 7.2 software stream as
APAR IV79451 is resolved. However, a specific installation path is required. To upgrade from QRadar 7.1 MR2 Pach version 10, 11, or 12, the administrator must install software in the following order:

    Procedure
    1. To upgrade from QRadar 7.1 MR2 Patch 10, 11, or 12, the administrator must install QRadar 7.2.4 Patch 6.
      After the upgrade to QRadar 7.2.4 Patch 6, the administrator can continue to upgrade or stay at the existing version.
    2. To upgrade from QRadar 7.2.4 Patch 6, the administrator must install QRadar 7.2.6 Patch 3 or later. Installations of earlier versions of QRadar 7.2.5 or QRadar 7.2.6 Patch 2 and lower are not allowed.



Is there a master list of software release notes I can view?
Yes, the QRadar Customer Forum contains an update list of release notes for all QRadar versions. For more information, see https://ibm.biz/qradarsoftware.



How do I determine my QRadar software version?
The following guides outline the upgrade process. Fix pack release notes are posted next to the SFS file when the software is downloaded.

    Procedure
    1. Log in to the QRadar Console.
    2. From the navigation menu, select Help > About.
    3. The software version is displayed in the Help window.
    4. For the full software version number, click Additional Release Information.


How much space is required to install a fix pack?
Some administrators might have deployments with managed hosts that have limited disk space. As a general rule of thumb, a system should have enough space equivalent to twice the size of the fix pack in the root directory. If the system does not have enough disk space to install the fix pack, the appliance is bypassed and a summary details which managed hosts were installed successfully and which were unsuccessful.


How much memory is required to update my software?
The QRadar Upgrade Guides cover the memory requirements. The requirements are based off of the the appliance type that you are attempting to upgrade. Administrators who intend to update their deployment should review the memory requirements before they start an upgrade. This ensures that they do not experience performance issues in their deployment when a system does not have enough available resources.

Important: As of QRadar 7.2 MR1 Patch 2 and above, installations verify and enforce the minimum memory requirements during the installation pretest as defined in the QRadar 7.2 MR1 Upgrade Guide. If the hardware does not include enough memory to pass the pretest check, then the installation is halted and a message is displayed for the administrator that more memory is required.


What if my installation is on a VM and not a physical appliance?
If your appliance is on a VM, then the same installation rules apply to the VM as physical appliances. Each appliance should match the specifications of the hardware that we ship with physical appliances. For more information on hardware specifications for your appliance, see your IBM sales representative.


What is the difference between an ISO, fix pack, and interim fix?
  • ISOs: The use of the .ISO files is dependant on your software version. Due to improvements in how we update software, ISOs for QRadar 7.2 and above are only used to complete new appliance installations. In QRadar software versions 7.0 and 7.1, administrators can use ISO files to upgrade an appliance to a new software version.

    ISO files can be used to install any QRadar product or appliance type. For example, the same ISO file can be used to install QRadar, QRadar Risk Manager, QRadar Vulnerability Manager, or any other appliance type. The activation key typed in during the install defines how the appliance is installed and what features are activated. In older versions of the product (QRadar 6.3.1, QRadar 7.0, and QRadar 7.1) ISO files could be used for product updates. In QRadar 7.2 and above, ISO files can only be used to complete fresh appliance installs.
     
  • Fix Packs: The fix pack files (.SFS) used to update QRadar 7.1MR2 and above to the latest software version. Fix packs are a collection of fixes and can also contain new features when upgrading QRadar products. Fix packs contain cumulative fixes, so when you install the latest fix pack, you get all of the fixes provided in the prior fix packs. This allows administrators to be at QRadar 7.2 Patch 1 and upgrade to Patch 3, without having to install Patch 2.
     
  • Interim Fixes: These files (.SFS) are smaller in size and used to address specific issues for the latest version of QRadar. The interim fixes are only released for the latest software streams.

    For example, QRadar 7.2 (latest) or QRadar 7.1 (latest). Administrators only need to install the latest interim fix as the update provides cumulative updates. If an administrator installs IF02, they get the fixes for IF02 and all of the fixes that were provided in interim fix 01 (IF01). This is the reason why the fixed issues release notes includes a column of fixed for IF01 and IF02. 


What does the Patch "All" option do when I install a fix pack?
The "all" option is an automated method for installing the fix pack throughout your deployment. The all option starts with the Console and continues through the deployment completing the installation on each managed host in the correct order to complete the software update for all QRadar appliances. This can take an extended amount of time in large deployments as installations are not completed simultaneously, but in order by appliance type (1. Console -> 2. Managed hosts). The all option uses deployment.xml to locate each appliance, copy the software, and run the installation, which means that any appliances that are not added to the deployment would be bypassed.

At the end of the installation process, a summary displays a list of hosts in the deployment and a status on the success or failure of the fix pack installation.

Upgrade time windows. Patch all versus one-at-a-time updates.
The QRadar Customer Forum has some good information on this topic, which might help some users. For more information, see https://ibm.biz/BdR6Pb.
  • Typical upgrade time for Console appliances is: 45 to 60 minutes
  • Typical upgrade time for Event Collectors, Event Processors, Flow Processors, Data Nodes: 30 to 45 minutes


My QFlow Collector had an issue during upgrade. What do I do?
QFlow Collectors(12xx) do not store data locally and only collect and forward to a QRadar Flow Processor (17xx or 18xx) appliance. Administrators can flatten and reinstall QFlow Collectors (12xx) appliances without having to worry about data loss. If an issue occurs during the installation of a 12xx appliance, administrators should restart the install process.


I have other questions. Where do I find more information?
If you experience issues during an upgrade or have additional questions, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Upgrade","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"All Editions"},{"Product":{"code":"SSBQNH","label":"IBM QRadar Log Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSBRL3","label":"IBM Security QRadar Network Anomaly Detection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSBQQU","label":"IBM QRadar Risk Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSHLPS","label":"IBM QRadar Vulnerability Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

Document Information

Modified date:
30 August 2019

UID

swg21651118