KB Article | Forcepoint Support

Notes & Warnings

This document was developed to answer frequently asked questions regarding hotfixes for Forcepoint Email Security products. The information contained here should be used as a guide - if there are specific questions regarding customer deployments, please contact Forcepoint Technical Support, and a technical support engineer will be happy to address any specific questions or concerns.
 

Problem Description

Should I install all available hotfixes for my Email appliance?

Resolution

Provided here will be answers to many frequently asked questions regarding hotfixes for the Forcepoint Email product.
  1.  What are hotfixes?
A hotfix is a single or cumulative package that includes information (often in the form of one or more files) that is used to address a problem in a software product. The term "hotfix" originally referred to software patches that were applied to "hot" systems; that is, systems which are live, currently running, and in production status rather than development status.
  1.  What kind of hotfixes are available for my Email Appliance?
There are two branches of hotfixes to be aware of: Appliance and Email.
  • Appliance hotfixes deal specifically with the hardware and operating system of the management container of the appliance, whether it be a physical appliance or virtual, independent of the role the appliance serves (be it Email, Web, etc). These hotfixes follow the naming convention of:
APP-XXX-YYY
APP stands for appliance, XXX is the version of the product running on the appliance, and YYY is the number of the hotfix. For example, APP-8.4.0-001.
Appliance hotfixes will require a reboot after installation, and will automatically reboot when complete.
  • Email hotfixes are to address issues with the email product running on the appliance. Because our email product has both Windows and Linux components, we release hotfixes for both. In the cases of rollup hotfixes, you will see two listed – one for Linux and one for Windows. If this is the case for the hotfix you plan on installing, both of these must be installed. Email hotfixes follow the naming convention of:
Email-XXX-YYY
XXX is the version of the product and YYY is the number of the hotfix. For example, Email-8.4.0-001.
Email appliance hotfix roll-up packages will require a services restart after installation. This is also completed automatically. Windows updates include the manager portion (replaces the Email Security Webserver files) which requires a windows service restart (non-disruptive to mail flow or PEM/WSM, only to management via the FSM); and the database portion, installed via ODBC connection through the logserver interface (non-disruptive, no restarts required).

It is important to note, therefore, that APP-8.4.0-001 and Email-8.4.0-001 would be completely different hotfixes even though they share the same product number and hotfix number.
  1. Why should I install them?
The hotfixes contain open and closed-source software package updates, security updates, bug fixes, and new features.

The risk of applying the hotfix must be weighed against the risk of not applying it, because the problem to be fixed might be so critical that it could be considered more important than a potential loss of service (e.g., a major security breach). Each Forcepoint hotfix is given a Severity rating (Limited/Moderate/Severe) to assist you in gauging the importance of a hotfix.
  1. Where can I download the hotfixes?
Hotfixes can be downloaded from our support site (https://support.forcepoint.com) under the Downloads section, where available hotfixes will be categorized by Product and Version. For more information, see Forcepoint Downloads, Installers and Hotfix Information.
  • You can use the Personalization option to filter out products you do not own.
  • Alternatively, the All Downloads button will show everything available. This is especially useful if a new product or version in available, as it may not show up immediately in the “My Downloads” view.
  • The Windows hotfixes can be downloaded and installed from here.
  • You can also download Linux hotfixes for the appliance and, if you have a filestore, make them available to install.
Appliance hotfixes can also be installed via the admin CLI.
  • This view is useful as it will filter out any available hotfixes not designed for the appliance you are using or the products running on that appliance. So, for example, if you are running a virtual appliance with our 8.5 email product installed, you will only see hotfixes for the virtual appliance and the 8.5 email hotfixes listed.
You can also use the Forcepoint Security Appliance Manager (FSAM), which is a centralized operations console that manages Forcepoint V Series, X Series, and Virtual Appliances for Web and Email (v8.3 and later) in one place. Specifically designed for customers who have remained on older software versions (8.2 or earlier), FSAM brings improved usability and appliance management capabilities without sacrificing any controls provided by a previous local appliance management UI. The FSAM is installed on the same server as the Forcepoint Security Manager (formerly TRITON Security Manager). No additional hardware is required.  For more information, see Forcepoint Security Appliance Manager.
  1. How do I know which hotfix(es) I need?
The numbering on the hotfix provides some information for what the hotfix applies:
  • 0xx hotfixes are roll-up hotfixes where multiple hotfixes are combined and tested. Please install ONLY the latest of these hotfixes.
    • NOTE On all current versions of Forcepoint Email Security (8.4+), for both the APP and EMAIL hotfixes, the latest 0XX hotfix roll-up contains all prior fixes.
  • 1xx hotfixes are single-issue hotfixes that address a specific issue. For the Email product, these should only be installed if you are currently experiencing the issue that the hotfix addresses and have discussed the issue with a Forcepoint technical support engineer. 
    • NOTE On all current versions of Forcepoint Email Security (8.4+), the 1XX hotfixes are deprecated and have been rolled-up into the 0XX hotfix roll-ups.
  • 2xx hotfixes are typically Appliance hotfixes that address security issues.
  • 3xx hotfixes are reserved for migration. You only need to install these if you are immediately planning a migration.
    • NOTE Do NOT install the 300 or 301 migration hotfixes unless you are currently implementing change controls for a migration.
  • 7xx hotfixes usually address issues with system libraries (java, for example)
  • 9xx hotfixes are fast-tracked hotfixes to fix a specific issue. 
    • NOTE On all current versions of Forcepoint Email Security (8.4+), the 9XX hotfixes are deprecated and have been rolled-up into the 0XX hotfix roll-ups.
The documentation of the hotfixes on the support site will provide more information about what the hotfix corrects or contains. For example, the documentation for a rollup hotfix will list which hotfixes it currently contains and whether it also contains previous roll-ups.

NOTE On all current versions of Forcepoint Email Security (8.4+), for both the APP and EMAIL hotfixes, the latest 0XX hotfix roll-up contains all prior fixes.

Another important thing to note in the description is on which version of the product the hotfix is based. For example, if a single-issue hotfix is states it is based on HF2, that means that it is based on the base version of the product running on Hotfix Rollup 002.

When it comes to Email appliances, our recommendations are:
  • Install any available APP hotfixes – these will typically be roll-up hotfixes or security fixes. If the hotfix is a single-issue, you are having the issue that hotfix addresses, check with a Forcepoint Security Engineer but there should be no issues
  • Install any available Email rollup hotfixes (i.e. 0xx)
  • Review the documentation for the Email rollup hotfix – some roll-ups will include previous versions, some have dependencies requiring previous roll-ups be installed. This will be clearly stated in the notes.
  • Only install single-issue/fast-tracked hotfixes (i.e. 1xx/9xx) if you have currently experiencing the issue that the hotfix is for and you have discussed the issue with a Forcepoint Technical Support Engineer. They can assist with determining if that hotfix will correct the issue you’re having without causing conflicts with currently installed products or rollup versions.
  • Only install Migration hotfixes (i.e. 3xx) if you are about to perform a migration.
  • Other hotfixes (2xx/7xx) should be safe to install if you have read the documentation of what that hotfix addresses. 
  • Check the dates on when the hotfix was released – generally speaking, it’s better to install chronologically rather than by number.
    • NOTE On all current versions of Forcepoint Email Security (8.4+), for both the APP and EMAIL hotfixes, the latest 0XX hotfix roll-up contains all prior fixes. For all current versions of Forcepoint Email Security (8.4+), please install ONLY the latest roll-ups for APP and EMAIL, and also install any of the 2XX APP hotfixes for security.
  1.  How do I install the hotfixes? Can I uninstall them?
Hotfixes for the Windows products can be installed directly on the server with administrator approval.
Important Technical support can assist in determining if you have installed the Windows components on the FSM and logserver, but there is no harm in re-installing them if already installed (replaces the WAR file for the FSM email module, and replaces/modifies stored procedures and tables in the email log database).
 
For the Linux appliances, similar to the “How do I download” section, you can either use the FSAM to download and install the hotfixes or install them using the admin CLI. This is covered in-depth in the CLI guide, which you can find in the Documentation section of the Forcepoint Support site (https://support.forcepoint.com) by version, and briefly at Forcepoint Downloads, Installers and Hotfix Information.

Hotfixes can be uninstalled.
  • For the Linux appliance hotfixes, this can be done either from the Admin CLI (uninstall hotfix --id <ID>) or via the FSAM. The appliance keeps rollback information in case a hotfix needs to be removed from an appliance. As always, we recommend backups be taken before making any changes to the appliances.
  • For appliance hotfixes, we only support uninstalling the most recently installed roll-up hotfix. For instance, if you install APP-8.4.0-002 then install APP-8.4.0-003, we support uninstalling 003 only. The system will technically allow the uninstall of 002 after 003 is uninstalled (it will block the 002 uninstall if 003 is installed) but this is not a supported operation.
  • Windows hotfixes can be rolled back depending on the component that is updated.
  • If the component modified is the web-based portal, you can make a backup of the ConfigUI.war file (located in \Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\esg, on the drive where you initially installed the product). This can be done while the service is running:
    1. Right-click file ConfigUI.war, select Copy.
    2. Right-click within Windows Explorer, choose Paste.
To restore the backup (Recommendation - please contact Forcepoint Email Support if this is required so we can assist):
  1. Stop the Websense TRITON – Email Security service
    1. Go to the Service Control Manager (Start > Control Panel > Administrative Tools > Services).
    2. Locate the Websense TRITON – Email Security service.
    3. Right-click and click Stop
  2. Navigate to the \Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\esg directory.
  3. Rename the backup file to ConfigUI.war. You can either rename or move the current file to another name.
  4. Delete the following directories
  • C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\webapps\esg
  • C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\work\Catalina
  1. Start the Websense TRITON – Email Security service
    1. Return to Services
    2. Locate Websense TRITON – Email Security service.
    3. Right-click and click Start
 
  1.  Where can I find “readme” files/documentation on the hotfix?
As of the writing of this document, readme files for the hotfixes are included in the downloaded archived package files (.zip for Windows, .rpm for Linux) but are not always available separately on the Support site. 
  • For the Linux RPM files, you can use a product like 7-Zip or WinRar to open the RPM and dig into the file structure to find the readme files. For example, you can find the ReadMeHF1.txt file for Email-8.4.0-001 under:
\Appliance-Hotfix-Email-8.4.0-001.rpm\Appliance-Hotfix-Email-8.4.0-001-8.4-0.x86_64.cpio\.\opt\appliance\hotfix\workdir\Email-8.4.0-001\Email-8.4.0-001.tar.gz\Email-8.4.0-001.tar\
  1. I have a single-issue hotfix installed that correct an issue but I’m still having that issue – why?
This can happen for several reasons, but, a single-issue hotfix is designed to be installed on a version of the Forcepoint product.
  • If you install a single-issue hotfix that corrects a file or files and then install another single-issue hotfix that updates those same files, the change made by the first hotfix can be overwritten.
  • Rollup hotfixes are designed so that all fixes work together, which is why they are recommended to install over single-issue hotfixes.
  • This is also why we do not recommend installing all single-issue hotfixes unless you are experiencing the issue that hotfix addresses and have discussed the issue with a Forcepoint Technical Support Engineer. If you are having this issue, raise a case with Technical Support.
    • NOTE On all current versions of Forcepoint Email Security (8.4+), for both the APP and EMAIL hotfixes, the latest 0XX hotfix roll-up contains all prior fixes. For all current versions of Forcepoint Email Security (8.4+), please install ONLY the latest roll-ups for APP and EMAIL, and also install any of the 2XX APP hotfixes for security.
  1. I have the rollup hotfixes installed but the system still shows other hotfixes available – why?
The admin CLI/FSAM will only check if the hotfix number has been installed, not whether the issue has been corrected. So, if roll-up Hotfix contains Single Issue hotfixes 101-105, those single-issue hotfixes will still read as available to install.
  1. Additional Information
The Knowledge Base on our Support site has more information regarding hotfixes, which has been used in the creation of this article. For more information, as well as summaries of the available hotfixes, please visit the following links. Note You must have a valid login for Forcepoint in order to view the Downloads section.



Keywords: hotfix; download; email security settings; relay configuration; filter not working; cluster not working; appliance; rule; fsm; email protection system problems

Article Feedback



Thank you for the feedback and comments.