Upgrade Guide

Before You Begin

Before Executing Upgrade Steps

1. Expect a brief service disruption (less than 10 minutes).
2. Take a VM-level snapshot before upgrading to allow rollback if needed.

New Validations

Expect warnings after the upgrade. This is normal and helps identify conditions that need attention for failover readiness. If you see alarms, it’s a good sign—the issues can be addressed.

1. SyncIQ Domain Mark for Fast Fail Back
   This checks both clusters to confirm the SyncIQ domain mark is set. A warning will appear if it’s missing.

   note

   If you skipped the sudo update, this will trigger a warning.

2. SPN Delegation for Access Zone and IP Pool Failover
   Confirms AD Delegation was set for cluster AD objects on both clusters. If delegation is incomplete, it will specify which permission is missing.

3. DNS Dual Delegation
   Ensures automatic DNS resolution is set up before failover. It checks if DNS is configured correctly, with A records pointing to the correct subnet service IPs.

   note

   If using Infoblox, disable this validation. It only supports standard Name server delegations, not DNS forwarding.

Upgrade to a New Appliance

Follow the steps in the next sections to complete the backup and restore process to a new appliance.

Upgrade Path from Old Appliance Versions to OpenSUSE 15.x OS with the Latest Release - Backup/Restore Method

All appliance versions prior to the latest use OpenSUSE OS versions that no longer receive security patches (13.1, 13.2, 42.1, 42.3, 15.1). Use this upgrade option to update to the latest Eyeglass release and the latest OpenSUSE 15.x OS, which includes automatic security patch updates.

info

If you are using an older version appliance backup file, some settings might not be retained depending on the backup file release version. The table below outlines settings that are migrated.

1. Follow the steps to download the new OVF here.

2. Deploy the new Eyeglass VM using the install guide as a reference.

   info

   The new appliance IP address can be different from the old appliance IP.

3. Review the table of migrated settings below.

   Configuration Item	Supported
   Restoring local credentials for clusters	Yes
   Restoring license keys	Yes
   Adjusting license keys to the latest format	Yes
   Job schedules	Yes
   Job initial state setting (enabled, disabled)	No
   Custom settings with igls adv command	Yes
   Restore Notification Center settings	Yes
   Post-restore edit notification settings	Yes
   Restoring failover log history	Yes
   Restoring custom RBAC roles	Yes
   Restoring API tokens	Yes
   Restoring Ransomware Defender security guard logs	Yes
   Restoring cluster configuration reports	Yes
   Restoring current job state	Yes
   Alarm history	No
   Old backup archives	No
   Cluster storage monitor data	No
   RPO generated reports	No
   RPO report data	No
   Failover scripts	Yes
   Ransomware Defender history	No
   Ransomware Defender ignored list settings	No
   Ransomware Defender statistics	No
   Ransomware Defender settings	No
   Security Guard configuration	No

   info

   The schedule is restored, but other settings need to be re-added manually using the user service account and password.

4. After you deploy the new appliance and can log in to the webUI and SSH, continue with the steps below.

Review Historical Eyeglass Data & Settings that are Not Restored before continuing

All existing Eyeglass databases are removed; no backup is made.

warning

This action deletes databases. The system rediscovers them on startup. Do not use this method if you need to keep historical events from Cluster Storage Monitor or Ransomware Defender, or RPO Report data. If this applies to you, contact support.

Information to Record Before Upgrading

1. Take a Screenshot of the Eyeglass Jobs Window

   Take a screenshot of the Eyeglass Jobs window before upgrading. This serves as a reference to verify job states and types, such as auto type or DFS type.

2. Take a Screenshot of IP Pool Failover Policy Mappings (If IP Pool Mode Is Configured)

   If IP pool mode is configured, take a screenshot of the IP pool failover policy to pool mappings.

3. Take Screenshots of Ransomware Defender Settings (If Using Ransomware Defender)

   Take screenshots of the following Ransomware Defender settings: - Learned Thresholds (or Flag as False Positive)

   • Ignored List
   • Monitor Only Settings
   • Threshold
   • File Filters (or Allowed Files)
   • Snapshots

4. Take a Screenshot of Easy Auditor Settings (If Using Easy Auditor)

   Take a screenshot of the following Easy Auditor setting:

   • Active Auditor Triggers Configured

Automated Appliance Configuration Import

1. Requirements

   • You must be running the new OVA appliance version 2.5.7.1 or later. Check the About icon for the version.

     warning

     Do not use this command if you are not running the correct version. Use Step 3 below if running a version earlier than 2.5.7.1.

   • Ensure SSH access from the new appliance to the old appliance.

   • Deploy the new appliance on a new IP address.

   • Version-Specific Instructions:

     • For Version 2.5.7.1:

       • You must update the ECA to point to the new Eyeglass IP address.

     • For Version 2.5.8:

       • This release automatically updates the ECA configuration, including the Eyeglass IP address and API token, and pushes the changes to all ECA nodes.
   note

   This option will not migrate custom threat file settings on the ECA. Modifying these settings is uncommon and does not apply to most deployments.

2. On the New Appliance: Log In as Admin

   Run the import command:

   igls app pull-config --ip=<ip> --user=<user>
   note

   This command can take up to 10 minutes to run.

   • <ip>: Address of the old Eyeglass appliance.
   • --user: admin.
   • You will be prompted for the password.

3. The command automates the following steps:

   • Create a backup.
   • Copy the backup to the new appliance.
   • Apply the backup to the new appliance.
   • Update the ECA configuration to use the new Eyeglass IP address.
   note

   After this command completes, you need to restart the ECA cluster to update the firewall configuration.

   1. Log in to ECA node 1 and run:

      ecactl cluster down
      ecactl cluster up

   2. Shut down the OS on the source appliance.

   3. Done.

Restore Zip File (Old Appliance) and Restore to New Appliance Procedures

1. Take a Restore Backup

   Take an Eyeglass Restore backup from your old Eyeglass appliance.

2. Copy the Restore Backup to the New Appliance

   Download the Restore backup to your local machine. Then, using winscp, copy the zip file backup to the newly deployed Eyeglass appliance. Place it in the /tmp folder.

3. Use the Restore Backup Button

   

   Ensure you use the Restore Backup button instead of the support backup. The Restore backup includes SSL private keys, whereas the support backup does not. This applies to releases greater than 2.5.3.

   note

   In the Eyeglass interface, navigate to the "Backup Archives" section and select the "Restore Backup" button to perform this action.

4. Power Off the Old Eyeglass Appliance

   Power off the old Eyeglass appliance. It is not supported to have multiple Eyeglass appliances managing the same clusters.

5. SSH into the New Eyeglass Appliance

   SSH into the new Eyeglass appliance and log in as admin (default password is 3y3gl4ss).

6. Execute the Restore Command

   From the command line, run the following command:

   • igls app restore /tmp/eyeglass_backup.xxxx.zip --anyrelease

   • Replace /tmp/eyeglass_backup.xxxx.zip with the full path and name of your Eyeglass archive file.

   • When prompted, enter "y" to continue.

   • Example:

     igls app restore /tmp/eyeglass_backup_17_07_05_20-42-08.zip --anyrelease

     After running the command:

     Do you want to revert to the archive at /tmp/eyeglass_backup_17_07_05_20-42-08.zip? [y/N]: y

7. Complete the Restore Process

   Once the restore is complete, proceed to the next steps.

8. Restore Custom Ransomware Defender/Easy Auditor Settings (If Applicable)

   For a 2.5.6 to 2.5.7 anyrelease restore, where Ransomware Defender or Easy Auditor products are used, follow these additional steps:

   1. Copy ThreatLevels.json to the New Appliance

      If the file /opt/superna/eca/conf/common/overrides/ThreatLevels.json exists on your ECA node 1, copy it to the new Eyeglass appliance into the /opt/superna/sca/data directory. Apply the same owner and permissions as other files in that folder:

      • Switch to the root user:

        sudo su root

      • Copy the ThreatLevels.json file into the /opt/superna/sca/data directory.

      • Set the correct permissions:

        chmod 644 /opt/superna/sca/data/ThreatLevels.json
        chown sca:users /opt/superna/sca/data/ThreatLevels.json

   2. Delete RSWSettings.json on the New Appliance

      On the new Eyeglass appliance, if the file /opt/superna/sca/data/rwfdefender/RSWSettings.json exists, delete it:

      rm /opt/superna/sca/data/rwfdefender/RSWSettings.json

   3. Run the 2.5.7 Upgrade Installer

      Download the matching 2.5.7 run file for the Eyeglass upgrade. Run it to restore custom Ransomware Defender settings. See instructions here for In-Place Upgrade.

9. Check Post-Upgrade Steps

Functions Impacted During Upgrade

• You will encounter errors with configuration sync during the upgrade; you can ignore them until the cluster upgrade is complete.
• You cannot execute Runbook Robot without errors.
• Data Security and Easy Auditor cannot collect events during the upgrade.
• You cannot execute a planned failover during the upgrade.
• The DR Readiness Dashboard is not accurate.
• Reports will not execute correctly.

Post-Upgrade Steps

Validate Service Account Permissions, Eyeglass Job Status, Pool Mappings, Licenses, and Cluster Inventory

Mandatory Step: Check the minimum permissions in the sudo section of the documentation for your release. Incorrect permissions will generate errors. Use the guide to review sudo permissions.

info

For more information on required sudo permissions, see Service Account Minimum Privileges.

Follow These Steps:

1. Log In to the New Eyeglass Appliance:

   • Access the Eyeglass appliance using your credentials.

2. Verify Job Modes:

   • Open the Jobs window.

   • Ensure all job modes are set correctly and appear in either the Config Sync or DFS section.

   • If Jobs Are in the Wrong Mode:

     • Use the Bulk Actions menu to set the modes correctly.
     info

     For more information on switching job modes, see the Eyeglass Jobs documentation.

3. Verify SyncIQ Pool Mappings (If IP Pool Failover Mode Is Configured):

   • Open the DR Dashboard. You will see a menu on the left with items like Zone Readiness, Pool Readiness, DFS Readiness, Policy Readiness, and LiveOps DR Testing.
   • Look for the Network Mapping (or View Map) link on the right; this opens the “mapping screen,” where you can see SyncIQ Pool Mappings.
   • Compare these mappings to your earlier screenshot or notes to ensure each IP pool is correctly mapped to the desired failover policy.

   

4. Check Licenses:

   • Open the License Management icon.
   • Verify that all licenses are visible.

5. Check Cluster Inventory:

   • Open the Inventory View icon.
   • Ensure that all clusters are displayed.

6. Verify Notification Center Settings:

   • Navigate to Eyeglass Main Menu -> Notification Center.
   • Confirm that the Alarm Severity Filter is correctly set.
   • Verify that the Email Recipients are correctly set with the appropriate Email Type.

Validate License Assignment for Ransomware Defender, Easy Auditor, and Performance Auditor

This step is mandatory to ensure licenses are assigned to the correct clusters. This release no longer supports auto-assigned license mode for clusters.

Follow These Steps:

1. Log In to Eyeglass:

   • Access your Eyeglass account using your credentials.

2. Open License Management:

   • Select the Licensed Devices tab to view all clusters.

3. Set Unlicensed Clusters:

   • For each cluster that should not be licensed:
     • Use the drop-down menu to set its status to Unlicensed.

4. Assign User Licenses to Clusters:

   • For each cluster that should be licensed:
     • Set its status to User Licensed for the appropriate product(s), such as Ransomware Defender or Easy Auditor.
     • Example: Assign production writable clusters to User Licensed status for Ransomware Defender or Easy Auditor.

5. Submit Changes:

   • Click the Submit button to save your settings.

Validate Ransomware Defender and Easy Auditor settings

Ensure that your Ransomware Defender and Easy Auditor settings are preserved after the upgrade by following these steps.

If You Use Ransomware Defender:

1. Verify Learned Thresholds (Or Flag as False Positive)

   • For version 2.5.6 or lower, check that your Flag as False Positive settings are intact.
   • For version 2.5.7 or higher, confirm that your Learned Thresholds settings are unchanged.

2. Check the Ignored List

   • Make sure your Ignored List still contains your previous entries.

3. Confirm Monitor Only Settings (Version 2.5.7 and Higher)

   • If you use version 2.5.7 or higher, confirm that your Monitor Only settings are active.

4. Review Threshold

   • Check that all settings within the Threshold match your previous configuration.

5. Confirm File Filters (Or Allowed Files)

   • For version 2.5.6 or lower, ensure your Allowed Files settings are still valid.
   • For version 2.5.7 or higher, verify that your File Filters are correctly configured.

6. Verify Snapshots

   • Confirm that your Snapshots settings match your prior configuration.

If You Use Easy Auditor:

• Verify Active Auditor Triggers:
  • Ensure that all your configured Active Auditor Triggers are still in place.

Automatic Updates for Recommended Packages