If you used legacy URL filtering with Forcepoint NGFW version 6.0 or earlier, you must migrate the
engines to use ThreatSeeker URL filtering when you upgrade the NGFW cluster to version 6.1 or later.
Before you begin
Category-based URL filtering using the
ThreatSeeker Intelligence Cloud service is a separately licensed feature.
You must install a license that supports URL filtering using the
ThreatSeeker Intelligence Cloud service before you
migrate the
NGFW Engine.
Note: We recommend upgrading the cluster during a maintenance break.
The policy that is uploaded to the engine depends on the engine version. For engines running version 6.0 or earlier, only rules that contain legacy URL Situation elements are applied.
For engines running version 6.1 or later, only rules that contain new URL Category elements are applied.
Note: Do not use legacy URL Situation elements and URL Category elements in the same rule. Rules that contain both legacy URL Situation elements and URL Category elements are
ignored.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Create a transition policy that contains both the legacy URL Situation elements and the new URL Category elements.
Tip: If you already have a transition policy that you used to upgrade a single engine to NGFW 6.1 or later, you can use the same transition policy for the cluster.
-
Install the transition policy on the cluster.
Policy validation warnings about the legacy URL Situation elements are expected. You can safely ignore the warnings.
Because the engines have not yet been upgraded to version 6.1 or later, the rules that contain the legacy URL Situation
elements are applied.
-
Upgrade the first node to Forcepoint NGFW version 6.1 or later, then verify that it works
correctly.
-
Upgrade the other nodes to Forcepoint NGFW version 6.1 or later.
-
Install the transition policy again.
Because all nodes are running version 6.1 or later, the rules that contain the new URL Category elements are
applied.