Upgrade NetWitness Platform

This document provides information about the benefits and process of upgrading NetWitness Platform to 12.3.1.0. Ensure you go through the pre-requisites and pre-upgrade tasks before you upgrade NetWitness Platform. You can upgrade NetWitness Platform using four different options depending upon your Internet connectivity. After upgrading, you should also perform certain post upgrade tasks and post upgrade sanity checks listed in this guide to complete the upgrade process successfully. The instructions in this document apply to both physical and virtual hosts (including AWS, Azure Public Cloud, and Google Cloud Platform) unless stated to the contrary.

Warning: Before upgrading the UEBA host from 12.0 and older versions to 12.3.1.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see Prepare to Upgrade NetWitness Platform. This action is not required if you are upgrading the UEBA host from 12.1 to 12.3.1.0.

Note: NetWitness Platform now supports installing multiple servers of UEBA in your environment. For more information, see Configure Multiple UEBA Servers topic in the NetWitness UEBA Configuration Guide.

Upgrade Paths Supported for 12.3.1.0

The following upgrade paths are supported for NetWitness 12.3.1.0:

NetWitness 12.3.0.0 to 12.3.1.0
NetWitness 12.2.0.1 to 12.3.1.0
NetWitness 12.2.0.0 to 12.3.1.0
NetWitness 12.1.1.0 to 12.3.1.0
NetWitness 12.1.0.1 to 12.3.1.0
NetWitness 12.1.0.0 to 12.3.1.0
NetWitness 12.0.0.0 to 12.3.1.0
NetWitness 11.7.3.0 to 12.3.1.0
NetWitness 11.7.2.0 to 12.3.1.0
NetWitness 11.7.1.2 to 12.3.1.0
NetWitness 11.7.1.1 to 12.3.1.0
NetWitness 11.7.1.0 to 12.3.1.0
NetWitness 11.7.0.2 to 12.3.1.0
NetWitness 11.7.0.1 to 12.3.1.0
NetWitness 11.7.0.0 to 12.3.1.0

Running in Mixed Mode Environment

NetWitness Platform supports mixed mode during upgrade. Mixed mode occurs when some services are upgraded to the latest version and some services are still on the older versions.

For more information, see Running in Mixed Mode in the NetWitness Hosts and Services Getting Started Guide.

Note:
- If it takes a longer duration for upgrading all the hosts in your environment, contact NetWitness support to avoid encountering any issues.
- If you are running Endpoint Log Hybrid in mixed mode, make sure Endpoint Broker is on the same version as one of the Endpoint Servers.
- Mixed mode is not supported for ESA hosts in NetWitness Platform.

Upgrade Considerations for ESA Hosts

IMPORTANT: The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.

In 12.1 and later versions, you can only manage the ESA deployments and Data Sources through Centralized Content Management. Go to (CONFIGURE) > Policies > Content > Event Stream Analysis page to manage the ESA deployments and Data Sources. Refer the following figure.
After upgrading to 12.1 and later versions, you can only manage the ESA Rules in the ESA Rules page. Refer the following figure.
After upgrading to the 12.3.1.0 version, all the ESA deployments will be migrated to (CONFIGURE) > Policies page. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.3.1.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.
You must upgrade the ESA hosts immediately after upgrading the Admin Server.

For more information on Centralized Content Management and managing the deployments, see Centralized Content Management Guide for NetWitness.