Critical System Protection

Hi,

We're planing to upgrade our SCSP from 5.2 to 5.2.4 that its the version that acording with our correlation engine info will work along.

We have read the info about how we should do this migration but i have a question about agents already installed; it will be needed to reinstall those agents or they should still working with the new console/server version w/o problems?

Another question is if it will be a problem with licensing or something like that?.

Hope you can help me

Thanks in advance.

You might want to take a look at the Release Notes for 5.2.4, there is information regarding installation changes, start at page 8

http://www.symantec.com/business/support/index?page=content&id=DOC3256&actp=search&viewlocale=en_US&searchid=1300906982931

If you are upgrading existing clients, then there should be no issues with licensing.

If at all possible I would also recommend upgrading to the newest release, 5.2 RU7 for expanded plarform support, new policy upgrades, and several other features that were added and bug fixes.

Always with CSP the installation/migration plan is the management server first, then console, then agents. Agents in the 5.x family are fully downgrade compatible with newer management versions (although as assumed some of the new features of the new policies will not work on the older agents). Installing newer agents with an older management server can run into problem as agent communication/features/ways in which it "tells" the management server certain things change with over time.

Dependent on what correlation engine you are running you may be forced to use 5.2.4 however. I know Arcsight (and course SSIM) support the 5.2.x family.

Thanks a lot for your help =).

We're using RSA enVision as our correlator and on their last documents only mention that its works with 5.2.4 but i think that it could be a good idea to open a case with them to see if it can work with the newest release of SCSP.

Then again, thanks for your help.

Thanks a lot for your help =).

We're using RSA enVision as our correlator and on their last documents only mention that its works with 5.2.4 but i think that it could be a good idea to open a case with them to see if it can work with the newest release of SCSP.

Then again, thanks for your help.

SIEM collectors are *most likely* going to be going after the CSPEvent table, so you should be fine migrating all the way up to the latest version (currently 5.2.7).

Even though other elements within the CSP db have changed over the versions, the column structure of the CSPEvent table is the same (thank you flex fields!), so the SIEM collectors don't see a change.

I have several customers that have migrated from various versions of 5.2 up to 5.2.6 without issues...their SIEMs kept chugging right along and ingesting the data normally.  I even have a single customer that is using both a SSIM collector and and ArcSight collector simultaneously against their CSP databases and their upgrade from 5.2.4 to 5.2.6 (on two independent CSP environments) caused no issues. There was a 24 hour period where the SIEM collectors were pulling data from both a 5.2.4 and a 5.2.6 db.