Upgrade Guide

Before You Begin

Before Executing Upgrade Steps

1. Expect a brief service disruption (less than 10 minutes).
2. Take a VM-level snapshot before upgrading to allow rollback if needed.

New Validations

Expect warnings after the upgrade. This is normal and helps identify conditions that need attention for failover readiness. If you see alarms, it’s a good sign—the issues can be addressed.

1. SyncIQ Domain Mark for Fast Fail Back
   This checks both clusters to confirm the SyncIQ domain mark is set. A warning will appear if it’s missing.

   note

   If you skipped the sudo update, this will trigger a warning.

2. SPN Delegation for Access Zone and IP Pool Failover
   Confirms AD Delegation was set for cluster AD objects on both clusters. If delegation is incomplete, it will specify which permission is missing.

3. DNS Dual Delegation
   Ensures automatic DNS resolution is set up before failover. It checks if DNS is configured correctly, with A records pointing to the correct subnet service IPs.

   note

   If using Infoblox, disable this validation. It only supports standard Name server delegations, not DNS forwarding.

Upgrade to a New Appliance

Follow the steps in the next sections to complete the backup and restore process to a new appliance.

Upgrade Path from Old Appliance Versions to OpenSUSE 15.x OS with the Latest Release - Backup/Restore Method

All appliance versions prior to the latest use OpenSUSE OS versions that no longer receive security patches (13.1, 13.2, 42.1, 42.3, 15.1). Use this upgrade option to update to the latest Eyeglass release and the latest OpenSUSE 15.x OS, which includes automatic security patch updates.

info

If you are using an older version appliance backup file, some settings might not be retained depending on the backup file release version. The table below outlines settings that are migrated.

1. Follow the steps to download the new OVF here.

2. Deploy the new Eyeglass VM using the install guide as a reference.

   info

   The new appliance IP address can be different from the old appliance IP.

3. Review the table of migrated settings below.

   Configuration Item	Supported
   Restoring local credentials for clusters	Yes
   Restoring license keys	Yes
   Adjusting license keys to the latest format	Yes
   Job schedules	Yes
   Job initial state setting (enabled, disabled)	No
   Custom settings with igls adv command	Yes
   Restore Notification Center settings	Yes
   Post-restore edit notification settings	Yes
   Restoring failover log history	Yes
   Restoring custom RBAC roles	Yes
   Restoring API tokens	Yes
   Restoring Data Security security guard logs	Yes
   Restoring cluster configuration reports	Yes
   Restoring current job state	Yes
   Alarm history	No
   Old backup archives	No
   Cluster storage monitor data	No
   RPO generated reports	No
   RPO report data	No
   Failover scripts	Yes
   Data Security history	No
   Data Security ignored list settings	No
   Data Security statistics	No
   Data Security settings	No
   Security Guard configuration	No

   info

   The schedule is restored, but other settings need to be re-added manually using the user service account and password.

4. After you deploy the new appliance and can log in to the webUI and SSH, continue with the steps below.

Review Historical Eyeglass Data & Settings that are Not Restored before continuing

All existing Eyeglass databases are removed; no backup is made.

warning

This action deletes databases. The system rediscovers them on startup. Do not use this method if you need to keep historical events from Cluster Storage Monitor or Data Security, or RPO Report data. If this applies to you, contact support.

Information to Record Before Upgrading

1. Take a Screenshot of the Eyeglass Jobs Window

   Take a screenshot of the Eyeglass Jobs window before upgrading. This serves as a reference to verify job states and types, such as auto type or DFS type.

2. Take a Screenshot of IP Pool Failover Policy Mappings (If IP Pool Mode Is Configured)

   If IP pool mode is configured, take a screenshot of the IP pool failover policy to pool mappings.

3. Take Screenshots of Data Security Settings (If Using Data Security)

   Take screenshots of the following Data Security settings:

   • Flag as False Positive or Learned Thresholds
   • Ignored List
   • All Threshold Window Settings
   • Allowed Files or File Filters
   • Monitor Only Settings

4. Take a Screenshot of Easy Auditor Settings (If Using Easy Auditor)

   Take a screenshot of the following Easy Auditor setting:

   • Active Auditor Triggers Configured

Automated Appliance Configuration Import

1. Requirements

   • You must be running the new OVA appliance version 2.5.7.1 or later. Check the About icon for the version.

     warning

     Do not use this command if you are not running the correct version. Use Step 3 below if running a version earlier than 2.5.7.1.

   • Ensure SSH access from the new appliance to the old appliance.

   • Deploy the new appliance on a new IP address.

   • Version-Specific Instructions:

     • For Version 2.5.7.1:

       • You must update the ECA to point to the new Eyeglass IP address.

     • For Version 2.5.8:

       • This release automatically updates the ECA configuration, including the Eyeglass IP address and API token, and pushes the changes to all ECA nodes.
   note

   This option will not migrate custom threat file settings on the ECA. Modifying these settings is uncommon and does not apply to most deployments.

2. On the New Appliance: Log In as Admin

   Run the import command:

   igls app pull-config --ip=<ip> --user=<user>
   note

   This command can take up to 10 minutes to run.

   • <ip>: Address of the old Eyeglass appliance.
   • --user: admin.
   • You will be prompted for the password.

3. The command automates the following steps:

   • Create a backup.
   • Copy the backup to the new appliance.
   • Apply the backup to the new appliance.
   • Update the ECA configuration to use the new Eyeglass IP address.
   note

   After this command completes, you need to restart the ECA cluster to update the firewall configuration.

   1. Log in to ECA node 1 and run:

      ecactl cluster down
      ecactl cluster up

   2. Shut down the OS on the source appliance.

   3. Done.

Restore Zip File (Old Appliance) and Restore to New Appliance Procedures

1. Take a Restore Backup

   Take an Eyeglass Restore backup from your old Eyeglass appliance.

2. Copy the Restore Backup to the New Appliance

   Download the Restore backup to your local machine. Then, using winscp, copy the zip file backup to the newly deployed Eyeglass appliance. Place it in the /tmp folder.

3. Use the Restore Backup Button

   

   Ensure you use the Restore Backup button instead of the support backup. The Restore backup includes SSL private keys, whereas the support backup does not. This applies to releases greater than 2.5.3.

   note

   In the Eyeglass interface, navigate to the "Backup Archives" section and select the "Restore Backup" button to perform this action.

4. Power Off the Old Eyeglass Appliance

   Power off the old Eyeglass appliance. It is not supported to have multiple Eyeglass appliances managing the same clusters.

5. SSH into the New Eyeglass Appliance

   SSH into the new Eyeglass appliance and log in as admin (default password is 3y3gl4ss).

6. Execute the Restore Command

   From the command line, run the following command:

   • igls app restore /tmp/eyeglass_backup.xxxx.zip --anyrelease

   • Replace /tmp/eyeglass_backup.xxxx.zip with the full path and name of your Eyeglass archive file.

   • When prompted, enter "y" to continue.

   • Example:

     igls app restore /tmp/eyeglass_backup_17_07_05_20-42-08.zip --anyrelease

     After running the command:

     Do you want to revert to the archive at /tmp/eyeglass_backup_17_07_05_20-42-08.zip? [y/N]: y

7. Complete the Restore Process

   Once the restore is complete, proceed to the next steps.

8. Restore Custom Data Security/Easy Auditor Settings (If Applicable)

   For a 2.5.6 to 2.5.7 anyrelease restore, where Data Security or Easy Auditor products are used, follow these additional steps:

   1. Copy ThreatLevels.json to the New Appliance

      If the file /opt/superna/eca/conf/common/overrides/ThreatLevels.json exists on your ECA node 1, copy it to the new Eyeglass appliance into the /opt/superna/sca/data directory. Apply the same owner and permissions as other files in that folder:

      • Switch to the root user:

        sudo su root

      • Copy the ThreatLevels.json file into the /opt/superna/sca/data directory.

      • Set the correct permissions:

        chmod 644 /opt/superna/sca/data/ThreatLevels.json
        chown sca:users /opt/superna/sca/data/ThreatLevels.json

   2. Delete RSWSettings.json on the New Appliance

      On the new Eyeglass appliance, if the file /opt/superna/sca/data/rwfdefender/RSWSettings.json exists, delete it:

      rm /opt/superna/sca/data/rwfdefender/RSWSettings.json

   3. Run the 2.5.7 Upgrade Installer

      Download the matching 2.5.7 run file for the Eyeglass upgrade. Run it to restore custom Data Security settings. See instructions here for In-Place Upgrade.

9. Check Post-Upgrade Steps

Functions Impacted During Upgrade

Post-Upgrade Steps

Automatic Updates for Recommended Packages