How to upgrade KATA 3.7.2 > 4.0 > 4.1 > 5.0 > 5.1 [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

In order to upgrade KATA from 3.7.2 to 4.0 > 4.1 > 5.0 > 5.1 please follow the manual below.

Step-by-step guide

Prior to PCN upgrade you have to disconnect all Sensors, SCNs and Sandboxes.

After upgrade Sandboxes and Sensors must be reinstalled, disconnected SCNs – upgrade to 4.0 and 4.1 and then reconnect them to PCN.

NB! Events database is not being transferred if you want to restore backup to new installation (e.g. new physical or virtual server). 

System requirements are the same for 3.7.2 and 4.0/4.1, so if 3.7.2 installation matches the requirements, you can upgrade keeping the same hardware/VM configuration.

For upgrade you don’t need .ktgz archives, only the ISO file.

Upgrade order described here. Information which is kept during upgrade. Contents of backup.

Pre-upgrade recommendations

This recommendation is optional for vanilla 3.7.2, and it's a must for 3.7.2 PF1

Before upgrading KATA 3.7.2 to KATA4, copy and run this script.

Run it as root:

python /var/opt/kaspersky/apt/files/kata4-preupgrade-checker.py

Expected result for vanilla 3.7.2:

In case any issues arise, please contact Kaspersky support, and provide script output as shown on screenshot above and this script log, the script shows log location upon completion: /data/kata4-preupgrade-checker.log

Upgrade order

• Create backup of CN and do the manual backup of /var/opt/kaspersky/apt-preprocessor/preprocessor.conf (from CN and sensors, especially if tuning was made at sensors).
• Mount installation ISO to KATA VM or boot from drive with ISO, if a server is physical.
• Select Install Kaspersky Anti Targeted Attack Platform.
• Select Disk marked as [upgrade] and press Enter.

• Select Upgrade and press Enter

• Select Upgrade again and press Enter

• Wait for the completion and check at WEB UI, that there are no errors / issues / etc.

  
  Storage migration is a lengthy procedure and may take many hours, depending on the installation. No visual indication of progress is provided, but it's not frozen.

• Perform a backup of 4.0
• The upgrade procedure from 4.0 up to 4.1 is pretty much the same, you have to map ISO and boot from it, select disk marked as [upgrade], proceed, make a backup of 4.1

Upgrade procedure from 4.1 to 5.0 is described here.

Before updating the product from version 4.1 to version 5.0, check which boot mode is used on the server (BIOS or UEFI). If UEFI is used, the update will fail. To avoid this, you need to update from a special KATA 5.0 image which can be provided by Kaspersky Support.

Before upgrade DISABLE NTP on 4.1

Information which is kept during upgrade.

     1) You can obtain file upgrade_preparation-1.0-py3-none-any.whl in kata-cn-5.0.0-5201-inst.x86_64_en-ru.iso, just mount it in Windows, go to support folder, copy this file and put it to /tmp  via WinSCP to your KATA 4.1.

    2) Proceed with steps described in Online help

• After mounting ISO and running from it you will be prompted to say y + ENTER to upgrade

• Then press ENTER, read EULA and select "I accept"

• Then you have two options: leave cluster and bridge/overlay subnets by default (just by pressing ENTER in windows below) or you can change them as you want (especially if these subnets crossover with your infrastructure subnets)

• Upgrade procedure can take a while, after that you'll be prompted to choose management interface, enter it's details again

• Enter password for admin

• Configure DNS servers and press ENTER

• Enable SPAN capturing by typing y or skip this step as n and press ENTER (you can do it later after upgrade).

• Don't forget to read this article, kindly pay attention to section "Special considerations for upgrading Kaspersky Anti Targeted Attack Platform from version 4.1 to version 5.0"
• After upgrade you have to perform initial configuration of KATA via web interface using admin (with Local administrator checkbox) credentials being set up during upgrade, please refer to https://support.kaspersky.com/KATA/5.0/en-US/242580.htm and https://support.kaspersky.com/KATA/5.0/en-US/240726.htm

Once the configuration is completed, it's possible to log in to Web UI as regular local admin: use Administrator/Administrator login and password, "Local administrator" checkbox must be enabled, too. Change the password for Administrator user and proceed with adding license, creating users etc.

Upgrade procedure from 5.0 to 5.1 is described here.

Step-by-step guide of upgrade is here.

Information kept during upgrade is here.

• According to KB you have to upload upgrade.tar.gz to /data/upgrade

• But first, you have to create this directory and set permissions to it to be able to upload upgrade package via WinSCP (in this example we use chmod 777 as an ultimate set of rights, you can use another set) 

  mkdir /data/upgrade chmod 777 /data/upgrade

• After that upload upgrade.tar.gz to /data/upgrade via WinSCP and unarchive it

  cd /data/upgrade tar xvf upgrade.tar.gz

• Give executive permissions to script install_kata_upgrade.sh and install pre-upgrade package

• Execute as root

  chmod +x /data/upgrade/install_kata_upgrade.sh sh install_kata_upgrade.sh

  You'll see this 

• And finally run upgrade (use admin user credentials which you use for ssh)

  kata-upgrade --data-dir /data/upgrade --user admin --password 'passw@rd'

• In a while you should receive message about successful upgrade  .