Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Upgrading to vCloud Networking and Security 5.1.2a best practices (2044458)

Purpose

This article identifies best practices for upgrading a vShield environment to vCloud Networking and Security 5.1.2a.

Note: This guide contains definitive information. If there is a discrepancy between the guide and this article, assume that the guide is correct. For more information, see the vShield Upgrade and Installation Guide.

Resolution

To upgrade from vCloud Networking and Security 5.1.2 to 5.1.2a, see the Applying the 5.1.2-997359 vShield Manager Patch section of this article.

For a fresh install of vCloud Networking and Security 5.1.2, see the vShield Upgrade and Installation Guide. If upgrading to vCloud Networking and Security 5.1.2, please read the instructions below.

To upgrade vShield, you must first upgrade vShield Manager, then update the other components for which you have a license.

Software requirements

For the latest interoperability information, see the Product Interoperability Matrix.

These are the minimum required versions of VMware products to be installed with vShield 5.1.2:
  • VMware vCenter Server 5.0 or later
    • For VXLAN virtual wires, you require vCenter Server 5.1 or later

  • VMware ESXi/ESX 4.1 or later for each server
    • For VXLAN virtual wires, you require VMware ESXi 5.1 or later

  • VMware Tools
    • For vShield Endpoint and vShield Data Security, you must upgrade your virtual machines to hardware version 7 or 8 and install VMware Tools 8.6.0, which was released with ESXi 5.0 Patch 3
    • You must install VMware Tools on virtual machines that are to be protected by vShield App
    • VMware vCloud Director 5.1 or later
    • VMware View 4.5 or later

Client and User Access Requirements

vShield 5.1.2 has these client and user access requirements:
  • PC with the vSphere Client installed
  • If you added ESXi hosts by name to the vSphere inventory, ensure that DNS servers have been configured on the vShield Manager and name resolution is working. Otherwise, vShield Manager cannot resolve the IP addresses.
  • Permissions to add and power on virtual machines
  • Access to the datastore where you store virtual machine files, and the account permissions to copy files to that datastore
  • Ensure that you have enabled cookies on your web browser to access the vShield Manager user interface
  • Port 443 must be accessible from the ESXi host, the vCenter Server, and the vShield appliances to be deployed. This port is required to download the OVF file on the ESXi host for deployment.
  • Connection to the vShield Manager user interface using one of these supported web browsers:
    • Internet Explorer 6.x and later
    • Mozilla Firefox 1.x and later
    • Safari 1.x or 2.x

System Requirements

This table outlines system requirements:

ComponentMinimum Requirements
Memory
  • vShield Manager (64-bit): 8 GB
  • vShield App: 1 GB
  • vShield Edge compact: 256 MB, large: 1 GB, x-large: 8 GB
  • vShield Data Security: 512 MB
Disk space
  • vShield Manager: 60 GB
  • vShield App: 5 GB per vShield App per ESXi/ESX host
  • vShield Edge compact and large: 320 MB, x-large: 4.4 GB (with 4 GB swap file)
  • vShield Data Security: 6 GB per ESXi/ESX host
vCPU
  • vShield Manager: 2
  • vShield App: 2
  • vShield Edge compact: 1, large and x-large: 2
  • vShield Data Security: 1

Pre-Upgrade Preparation

To ensure the upgrade process is successful, prior to starting the upgrade process:
  • From the vSphere Client, take a snapshot of the vShield Manager.
  • Free up disk space

    A minimum of 2.5 GB free disk space in the /common partition is required for the upgrade process. Use the vShield maintenance bundle to make disk space available on the vShield Manager appliance. This maintenance bundle stops the vShield Manager process and starts it again after the completion of the file system cleanup activity.

    Note: The existing logs and flow monitoring data on the vShield Manager appliance are deleted as part of this procedure. The tech support log bundle contains the log messages of this procedure.
If you are currently running vShield Manager 5.1.0 (build 807847), you do not need to run this maintenance bundle.

To run the maintenance bundle:
  1. From the vShield Manager CLI (enable mode), run the show filesystems command. You need at least 5% free disk space in the /common partition to install the maintenance bundle. Contact VMware Support if the /common partition usage is more than 95%. For more information, see Filing a Support Request in My VMware (2006985).
  2. From the vShield Manager CLI (enable mode), run the show manager log follow command. Keep this console open while you perform the next steps.
  3. From the VMware Download Center, download the vShield maintenance bundle to a location to which the vShield Manager can browse. The name of the upgrade bundle file is:

    VMware-vShield-Manager-upgrade-bundle-maintenance-5.0-939118.tar.gz

  4. In the vShield Manager Inventory panel, click Settings & Reports.
  5. Click the Updates tab.
  6. Click Upload Upgrade Bundle.
  7. Click Browse and select the VMware-vShield-Manager-upgrade-bundle-maintenance-5.0-939118.tar.gz file.
  8. Click Open.
  9. Click Upload File.
  10. Click Install to begin the upgrade process.
  11. Click Confirm Install.
  12. Go back to the CLI and monitor the show manager log follow output. Look for the maintenance-fs-cleanup: Filesystem cleanup successful message as verification that the maintenance bundle was successfully installed.

    Note: The message maintenance-fs-cleanup: ERROR:Filesystem cleanup FAILED indicates that the maintenance bundle failed to install. If this occurs, contact VMware Support. For more information, see Filing a Support Request in My VMware (2006985).

    The upgrade process restarts the vShield Manager service. You may lose connectivity to the vShield Manager user interface. None of the other vShield components are restarted.

  13. Log in to the vShield Manager web user interface.
  14. Log in to the CLI of the vShield Manager, switch to enable mode, and run the CLI command show filesystems to ensure there is enough free space for the upgrade. A minimum of 2.5 GB free disk space in the /common partition is required for the upgrade process. If you do not have at least 2.5 GB free disk space after running the maintenance bundle, do not continue with the upgrade and contact VMware Support. For more information, see Filing a Support Request in My VMware (2006985).

New virtual hardware requirements for vShield Manager 5.1.2

vShield Manager requires an upgrade to its virtual hardware starting with version 5.1. This virtual hardware upgrade is not automatically performed as part of the vShield upgrade process for vShield Managers running versions 5.0.x or below. Architectural changes for improved scalability, performance, and increased logging and reporting capabilities require that the vShield Manager's virtual hardware is upgraded. Some of these changes include 64-bit support, 2 vCPUs, 8 GB RAM, and a larger virtual disk, along with other virtual hardware properties.

Note: This virtual hardware upgrade only applies to vShield Managers that are being upgraded from versions 5.0.x or below. New installs of vShield Manager version 5.1.2 already ship with this upgraded virtual hardware.

To achieve the hardware upgrade, a backup/restore must be performed. The backup must be done on versions 5.1.0 or 5.1.1, but the restore should be done only on version 5.1.2.

Upgrading vShield Manager

You can upgrade the vShield Manager to a new version only from the vShield Manager web user interface. You can upgrade vShield App and vShield Edge to a new version from the vShield Manager user interface or by using REST APIs.

Prerequisites

Upgrading directly from 4.1.x to 5.1.2 is not supported. If you are using vShield Manager 4.1.x or below (builds 576124, 310451, or 287872), upgrade to any 5.0.x version (builds 473791, 638924, or 791471).

If you are using vShield Endpoint 4.1, uninstall vShield Endpoint before upgrading vShield Manager.

Note: Do not uninstall a deployed instance of the vShield Manager appliance.

Procedure

For vShield Managers running fresh installs of version 5.1.1:
  1. From the VMware Download Center, download the vShield upgrade bundle to a location to which vShield Manager can browse. The name of the upgrade bundle file is:

    VMware-vShield-Manager-upgrade-bundle-5.1.2-943471.tar.gz

  2. From the vShield Manager Inventory panel, click Settings & Reports.
  3. Click the Updates tab.
  4. Click Upload Upgrade Bundle.
  5. Click Browse and select the VMware-vShield-Manager-upgrade-bundle-5.1.2-943471.tar.gz file.
  6. Click Open.
  7. Click Upload File.
  8. Click Install to begin the upgrade process.
  9. Click Confirm Install. The upgrade process reboots vShield Manager, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are rebooted.
  10. After the reboot, log back in to the vShield Manager and click the Updates tab. The Installed Release panel displays version 5.1.2, which is the version you just installed. Proceed to the Applying the 5.1.2-997359 vShield Manager Patch section.

For vShield Managers running versions 5.0.0 (build 473791), 5.0.1 (build 638924), or 5.0.2 (build 791471):
  1. From the VMware Download Center, download the vShield upgrade bundle to a location to which vShield Manager can browse. The name of the upgrade bundle file is:

    VMware-vShield-Manager-upgrade-bundle-5.1.2-943471.tar.gz

  2. From the vShield Manager Inventory panel, click Settings & Reports.
  3. Click the Updates tab.
  4. Click Upload Upgrade Bundle.
  5. Click Browse and select the VMware-vShield-Manager-upgrade-bundle-5.1.2-943471.tar.gz file.
  6. Click Open.
  7. Click Upload File.
  8. Click Install to begin the upgrade process.
  9. Click Confirm Install. The upgrade process reboots vShield Manager, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are rebooted.
  10. After the reboot, log back in to the vShield Manager and click the Updates tab. The Installed Release panel displays version 5.1.2, which is the version you just installed.

    Note: If you upgraded from a fresh install of vShield Manager 5.1.0 (build 807847), the next steps to upgrade the virtual hardware are not required; instead, proceed to the Applying the 5.1.2-997359 vShield Manager Patch section.

  11. Create a post-upgrade backup. The backup must be created on version 5.1.2:
    1. From the vShield Manager Inventory panel, click Settings & Reports.
    2. Click the Configuration tab.
    3. Click Backups.
    4. Enter the Host IP Address/Name of the system where the backup will be saved.
    5. Enter the User Name required to log in to the backup system (FTP/SFTP server).
    6. Enter the Password associated with the user name for the backup system.
    7. In the Backup Directory field, type the absolute path where backups will be stored.
    8. Enter a text string in Filename Prefix.

      Note: This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type ppdb, the resulting backup is named ppdbHH_MM_SS_DayDDMonYYYY.

    9. From the Transfer Protocol dropdown, select either SFTP or FTP, based on what the destination supports.
    10. Click Save Settings and Backup.
    11. Click View Backups to ensure the backup was created.
    12. Power off the vShield Manager.

  12. From the VMware Download Center, download the 5.1.2 vShield Manager .OVA installation package.
  13. Deploy a new vShield Manager into your vSphere inventory. This new vShield Manager will replace the existing one.
  14. Power on the new vShield Manager and perform the initial setup, giving it the same IP address as the one that is currently powered off.
  15. Configure the vShield Manager Backups page to view the backups currently stored on the FTP/SFTP server.
  16. Identify the vShield Manager backup created earlier and do a Post-Upgrade Restore by clicking Restore.

    Note: The restore must be done on a fresh install of vShield Manager running version 5.1.2. Backups taken on a vShield Manager running version 5.0.x or earlier cannot be used for restore purposes on a 5.1.2 vShield Manager.

  17. Proceed to the Applying the 5.1.2-997359 vShield Manager Patch section.

For vShield Managers running 5.1.0 (build 807847) that were upgraded from versions 5.0.0 (build 473791), 5.0.1 (build 638924), or 5.0.2 (build 791471):

Note: These steps do not apply to fresh installs of version 5.1.0.
  1. Create a snapshot of the vShield Manager. You do not need to install the maintenance bundle to free up disk space as described in the Pre-Upgrade Preparation Steps.
  2. Create a backup of version 5.1.0:
    1. From the vShield Manager Inventory panel, click Settings & Reports.
    2. Click the Configuration tab.
    3. Click Backups.
    4. Enter the Host IP Address/Name of the system where the backup will be saved.
    5. Enter the User Name required to log in to the backup system (FTP/SFTP server).
    6. Enter the Password associated with the user name for the backup system.
    7. In the Backup Directory field, type the absolute path where backups will be stored.
    8. Type a text string in Filename Prefix.

      Note: This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type ppdb, the resulting backup is named ppdbHH_MM_SS_DayDDMonYYYY.

    9. From the Transfer Protocol dropdown, select either SFTP or FTP, based on what the destination supports.
    10. Click Save Settings and Backup.
    11. Click View Backups to ensure the backup was created.
    12. Power off the 5.1.0 vShield Manager.

  3. From the VMware Download Center, download the 5.1.2 vShield Manager .OVA installation package.
  4. Deploy a new vShield Manager into your vSphere inventory. This new vShield Manager will replace the existing one.
  5. Power on the new vShield Manager and perform the initial setup, giving it the same IP address as the one that is currently powered off.
  6. Configure the vShield Manager Backups page to view the backups currently stored on the FTP/SFTP server.
  7. Identify the vShield Manager backup created earlier and do a restore by clicking Restore.

    Note: The restore must be done on a fresh install of the vShield Manager running version 5.1.2. Backups taken on a vShield Manager running version 5.0.x or earlier cannot be used for restore purposes on a 5.1.2 vShield Manager.

  8. Proceed to the Applying the 5.1.2-997359 vShield Manager Patch section.

Applying the 5.1.2-997359 vShield Manager Patch

  1. From the VMware Download Center, download the vShield upgrade bundle to a location to which vShield Manager can browse. The name of the upgrade bundle file is:

    VMware-vShield-Manager-upgrade-bundle-maintenance-5.1.2-997359.tar.gz

  2. From the vShield Manager Inventory panel, click Settings & Reports.
  3. Click the Updates tab.
  4. Click Upload Upgrade Bundle.
  5. Click Browse and select the VMware-vShield-Manager-upgrade-bundle-maintenance-5.1.2-997359.tar.gz file.
  6. Click Open.
  7. Click Upload File.
  8. Click Install to begin the upgrade process.
  9. Click Confirm Install. The upgrade process reboots vShield Manager, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are rebooted.

What to do next

Upgrade the other vShield components managed by vShield Manager.

Upgrading vShield App

Upgrade the vShield App on each host in your datacenter.

To upgrade the vShield App:
  1. Log in to the vSphere Client.
  2. Click Inventory > Hosts and Clusters.
  3. Click the host on which you want to upgrade vShield App.
  4. Click the vShield tab. The General tab displays each vShield component that is installed on the selected host and the available release.
  5. Click Update next to vShield App.
  6. Select the vShield App checkbox.
  7. Click Install.
Note: During the vShield App upgrade, the ESXi host is placed into Maintenance Mode by the system and rebooted. Ensure the virtual machines on the ESXi host are migrated (using DRS or vMotion) or are powered off to allow the host to be placed into Maintenance Mode.

Upgrading vShield Edge

You must upgrade each vShield Edge instance in your datacenter. vShield Edge 5.1.2 is not backward compatible and you cannot use 2.0 REST API calls after the upgrade.

Note: During the vShield Edge upgrade, there will be network disruption for the networks which are being served by the given vShield Edge instance.

To upgrade the vShield App, you must be assigned the Enterprise Administrator role.

If you have vShield Edge 5.0.x, each 5.0.x vShield Edge instance on each portgroup in your datacenter must be upgraded to 5.1.2.
  1. Log in to the vSphere Client.
  2. Click the portgroup on which the vShield Edge is deployed.
  3. Click the vShield Edge tab.
  4. Click Upgrade.
  5. View the upgraded vShield Edge:
    1. Click the datacenter corresponding to the port group on which you upgraded the vShield Edge.
    2. Click the Network Virtualization tab.
    3. Click Edges. vShield Edge is upgraded to the compact size. A system event is generated to indicate the ID for each upgraded vShield Edge instance.
    4. Repeat for all other vShield Edges that must be upgraded.

If you have 5.1.0 vShield Edge instances, upgrade each Edge:
  1. Log in to the vSphere Client.
  2. Click the datacenter for which vShield Edge instances are to be upgraded.
  3. Click the Network Virtualization tab. All existing vShield Edge instances are shown in the listings page. An arrow icon is shown for each vShield Edge that must be updated.
  4. Click an Edge and click Upgrade from Actions to start the upgrade. When the Edge is upgraded, the arrow icon no longer appears.
  5. Repeat for each vShield that must be upgraded.

What to do next

Firewall rules from the previous release are upgraded with some modifications. Inspect each upgraded rule to ensure it works as intended. For information on adding new firewall rules, see the vShield Administration Guide. If your scope in a previous release was limited to a port group which had a vShield Edge installation, the user is automatically granted access to that vShield Edge after the upgrade.

Upgrading vShield Endpoint

The upgrade procedure depends on the product version that you are using.

Upgrading vShield Endpoint from 4.1 to 5.0

To upgrade vShield Endpoint from version 4.1 to 5.0, you must first uninstall vShield Endpoint on each host in your datacenter, upgrade vShield Manager, then install the new release.
  1. If the protected virtual machines are running in a cluster, deactivate DRS.
  2. Deactivate all Trend DSVAs. This is required to remove vShield-related VFILE filter entries from the virtual machines.
  3. If you deactivated DRS in step 1, re-activate it.
  4. Uninstall vShield Endpoint on each host in your datacenter.
  5. Upgrade vCenter Server to the required version.
  6. Upgrade each host to the required ESXi version.
  7. Upgrade vShield Manager.
  8. Install vShield Endpoint.

Upgrading vShield Endpoint from 5.0 to a later version

To upgrade vShield Endpoint from 5.0 to a later version, you must first upgrade vShield Manager, then update vShield Endpoint on each host in your datacenter.
  1. Log in to the vSphere Client.
  2. Click Inventory > Hosts and Clusters.
  3. Click the host on which you want to upgrade vShield Endpoint.
  4. Click the vShield tab. The General tab displays each vShield component that is installed on the selected host and the available version.
  5. Click Update next to vShield Endpoint.
  6. Click vShield Endpoint.
  7. Click Install.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 2 Ratings
Actions
KB: