Forcepoint

DLP
10.3

Upgrade Guide

Revision A
 © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.

Published 24 March 2025

Every effort has been made to ensure the accuracy of this document. However, Forcepoint
makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose. Forcepoint shall not
be liable for any error or for incidental or consequential damages in connection with the
furnishing, performance, or use of this manual or the examples herein. The information in
this documentation is subject to change without notice.
Forcepoint DLP 10.3 | Upgrade Guide

Contents
1 Preparing to Upgrade Forcepoint DLP..............................................................................................................5
Preparing to Upgrade to Forcepoint DLP 10.3..............................................................................................5
Prepare for upgrade.......................................................................................................................................6
Download and launch the installer................................................................................................................ 7

2 Upgrading Forcepoint DLP................................................................................................................................. 9

Upgrade the management infrastructure..................................................................................................... 10
Upgrade data security components on the management server................................................................ 11
Deploy settings.............................................................................................................................................12
Complete post-upgrade steps on the management server......................................................................... 13
Upgrade supplemental servers and Windows-based agents...................................................................... 13
Upgrade protectors.......................................................................................................................................14
Migrating Protector from CentOS7 to Red Hat Enterprise Linux 8 (RHEL8)...............................................16
Updating configuration file........................................................................................................................... 17
Obtaining updates in enabled Policy/Rules................................................................................................. 18
Data Protection Service............................................................................................................................... 18
Re-enabling fingerprint classifiers................................................................................................................20

3 Appendix B: Upgrading the Maintenance Release........................................................................................ 21

3
Forcepoint DLP 10.3 | Upgrade Guide

4
Chapter 1
Preparing to Upgrade Forcepoint
DLP
Contents

■ Preparing to Upgrade to Forcepoint DLP 10.3 on page 5

■ Prepare for upgrade on page 6
■ Download and launch the installer on page 7

Preparing to Upgrade to Forcepoint DLP

10.3
The existing Forcepoint DLP installation must be at one of the following versions to upgrade to version 10.3
■ 10.2
■ 10.1
■ 10.0
■ 9.0
■ 8.9.1
If you have an earlier version, you will need to upgrade to version 8.9.1 first before beginning your upgrade to
10.3.
The existing data security solution must be at least version 8.9.1 to upgrade directly to the Forcepoint DLP
version 10.3. Those currently using an earlier version must perform interim steps, as shown in the table below:

Current version Step 1 Step 2

8.6.0 – 8.8.x Upgrade to 8.9.1 Upgrade to 10.3

8.9.1–10.2 Upgrade to 10.3

Preparing to Upgrade Forcepoint DLP | 5

Forcepoint DLP 10.3 | Upgrade Guide

Prepare for upgrade

Steps to do before upgrading.

Important
To successfully upgrade DLP to v10.3, log on to the installation machine with the same account who
installed the FSM, which has local administrator privileges.

Note
The FSM system may appear unresponsive until the upgrade process is completed.

Steps
1) Unless instructed otherwise by Forcepoint Technical Support, make sure the system is functional prior to the
upgrade.

2) Verify that the starting version is 8.9.1, 9.0 or 10.x.

3) Perform a full backup of the system (including both product and infrastructure backups, as described in the
appropriate version of the Backup and Restore FAQ).

4) If fingerprinting tasks are running, stop the fingerprinting and disable the scheduler.

5) Ensure that any supplemental fingerprint repositories are fully synchronized with the primary repository.
Check for synchronization in the system log.

6) Log on to the management console to make sure all settings are deployed successfully. (If the Deploy button
is highlighted, click it.)

7) If administrators have removed applications from the product’s predefined endpoint application groups, make
a list of the changes. Application groups are restored after the upgrade, the applications will need to be
removed again. Custom user-defined groups are unaffected.

8) Disable User Account Control (UAC) and Data Execution Prevention (DEP) settings, and make sure that no
Software Restriction Policies will block the installation. The UAC settings can be re-enabled following the
upgrade.

Preparing to Upgrade Forcepoint DLP | 6

Forcepoint DLP 10.3 | Upgrade Guide

9) Make sure that at least the Visual C++ version 2022 (or later) Runtime Libraries are installed on the
management server. Download the Visual C++ Redistributable for Visual Studio from Microsoft.

Note
The speed and success of the upgrade process are affected by many factors, including:
■ Number of online incidents
■ Size of the forensics folder
■ Number of policies or rules in use
■ User directory import size
■ Whether GPO restrictions are enforced on the server in domain membership scenarios
■ Hardware specification

Download and launch the installer

Downloading and launching the installer.
The Forcepoint Security Installer ( [Link] ) is used to upgrade the management server and
other Windows-based servers. The management server is always upgraded first. To download the installer onto
the management server machine:

Steps
1) Navigate to [Link] and log in.

2) Click Downloads in the menu bar at the top of the page.

3) Under Products, select Data Loss Prevention (DLP).

4) Select the DLP Core link.

5) Click Forcepoint Security Manager for DLP v10.3 from the Installers list.

6) On the Product Installer page, click the Download link near the bottom of the page.

7) When the installer has downloaded successfully, double-click the file to launch the installer.
It may take several minutes for the installer to unpack files and launch. This is expected behavior.
The installation package detects that earlier versions of the product are installed and automatically starts a
series of wizards.
After upgrade, the system has the same configuration as before the upgrade. The upgrade process does not
allow the option to change configuration or settings.

Preparing to Upgrade Forcepoint DLP | 7

Forcepoint DLP 10.3 | Upgrade Guide

Preparing to Upgrade Forcepoint DLP | 8

Chapter 2
Upgrading Forcepoint DLP
Contents

■ Upgrade the management infrastructure on page 10

■ Upgrade data security components on the management server on page 11
■ Deploy settings on page 12
■ Complete post-upgrade steps on the management server on page 13
■ Upgrade supplemental servers and Windows-based agents on page 13
■ Upgrade protectors on page 14
■ Migrating Protector from CentOS7 to Red Hat Enterprise Linux 8 (RHEL8) on page 16
■ Updating configuration file on page 17
■ Obtaining updates in enabled Policy/Rules on page 18
■ Data Protection Service on page 18
■ Re-enabling fingerprint classifiers on page 20

Start the upgrade process by upgrading the management server. This is critical, because if supplemental servers
or agents are upgraded before the management server, they stop communicating. When the management server is
upgraded first, it continues communicating with the components until they are upgraded.

1) Perform the management server upgrade steps in the order described in the following sections:
a) Upgrade the management infrastructure.

b) Upgrade the data security components on the management server.

c) Complete post-upgrade steps on the management server.

2) Post upgrade of the management server, upgrade supplemental servers and any other server components as
described in following sections:
■ Upgrade supplemental servers and Windows-based agents.
■ Upgrade protectors
■ Upgrade the Forcepoint DLP Protector software.

3) After upgrading the management server and other server components, it is essential to deploy changes. See
section Deploy settings.

4) If you have a DLP Cloud Applications license and are not already connected to Data Protection Service, see
section Data Protection Service before upgrading.

5) If you are using Dynamic Data Protection (Endpoint DLP and Forcepoint Behavioral Analytics), you need to
download the RAP User Manager tool to enable users for Dynamic Data Protection on a DLP system. See the
Forcepoint Dynamic Data Protection Getting Started Guide for more information.

Upgrading Forcepoint DLP | 9

Forcepoint DLP 10.3 | Upgrade Guide

Related concepts
Upgrade the management infrastructure on page 10
Upgrade data security components on the management server on page 11

Related tasks
Complete post-upgrade steps on the management server on page 13
Upgrade supplemental servers and Windows-based agents on page 13
Upgrade the Appliance based Protector on page 15
Upgrade the Forcepoint DLP Protector software on page 15

Upgrade the management infrastructure

The Forcepoint Infrastructure provides the basic framework for all of the components that make up the
management server. This framework includes a central settings database that stores shared configuration (like
administrator directory and account information) for all management modules, as well as other internal shared
services.
The infrastructure upgrade wizard contains the following screens.

Wizard Screen Fields

Welcome Initiates the wizard.

1) Click Next to begin the upgrade process. The
system checks disk space requirements.

2) When prompted, click Next to launch the

installation wizard.

The subscription agreement message pops up.

1) Select I accept this agreement.

2) Click Next.

Pre-Installation Summary Shows information about the upgrade, including:

■ The destination folder for the installation files.
■ The name of the SQL Server machine and the user
name of an authorized database administrator. The
user must enter the SQL credentials used in the
install of the earlier version of DLP.
■ The IP address of the management server and its
administrator credentials.
Click Next to accept the properties.

Upgrading Forcepoint DLP | 10

Forcepoint DLP 10.3 | Upgrade Guide

Wizard Screen Fields

Installation Shows upgrade progress.

The system stops processes, copies new files,
updates component registration, removes unused files,
and more.
A pop up message appears at this stage, warning
that all modules must be upgraded. This pop up may
be hidden behind the main installer window, so if the
upgrade process appears to freeze, locate the hidden
pop up by moving the main installer window, then click
OK, to proceed.
In addition, if a Data Task Scheduler window opens,
the installer offers the option to stop the Work
Scheduler service, or continue running the installer
and reboot at the end. Reboot is the recommended
approach.

Summary Provides an overview of what has been upgraded,

including:
■ The destination folder for the installation files.
■ The name of the SQL Server machine and the user
name of an authorized database administrator.
■ The IP address of the management server and its
administrator credentials.
Click Finish to complete the upgrade for this module.
Restart the machine if prompted.

Upgrade data security components on

the management server
Before running the Forcepoint DLP upgrade wizard, the installer validates system requirements to ensure the
upgrade will be successful.
The pre-upgrade check validates hardware requirements, credentials for the SQL Server management database,
endpoint security certificates, manager configuration, administrator upgrade permissions, and the database
structure. As it proceeds, it reports whether a step succeeded or failed, or it shows a warning.
■ If there is a failure, the upgrade stops. For details, see \TRITON-PreUpgrade- [Link] in the
product’s installation directory.
■ If there are only warnings, the installer offers the option to continue the upgrade. Continuing without repairing
the issues may cause unexpected behavior, but should not have a critical impact.
■ If the pre-upgrade check succeeds, or if the administrator continues after viewing warnings, the Forcepoint
DLP wizard is launched, followed by wizards for each installed component.
The Forcepoint DLP upgrade wizard contains the following screens.

Upgrading Forcepoint DLP | 11

Forcepoint DLP 10.3 | Upgrade Guide

Wizard Screen Fields

Welcome Initial Forcepoint DLP installation wizard launch page.

The system checks the disk space on the machine.
When prompted, click Next to launch the installation
wizard.

Configuration Step through the screens configured during the

previous product installation, including Fingerprinting
Database, Temporary File Location, and Local
Administrator. Click Next on each to retain the existing
settings.

Installation Confirmation Review the settings on the Installation Confirmation

screen and click Install to continue the upgrade.

Installation Shows the progress of the installation. The system

stops processes, checks ports, copies new files,
updates component registration, removes unused files,
and more.
In certain circumstances, an internal SQL error may
appear. If this occurs, do not click OK until the issue
has been resolved with Forcepoint Technical Support.
Continuing without resolving the issue can cause
problems with the reporting database.

Summary Summarizes the upgrade configuration.

1) Click Finish to exit after the installation of

Forcepoint DLP is complete.
The installer information message pops up,
denoting that the changes made to the DLP
software will only start working after restarting
your system.

2) Select Yes/No depending on when you want to

restart your system and make the DLP changes
come into effect.

Deploy settings
After upgrading all servers, agents, and appliances to Forcepoint DLP 10.3, deploy changes in the Forcepoint
Security Manager. Endpoints do not require a separate deploy step.

1) Log into the Data Security module of the Forcepoint Security Manager.

2) When prompted to update policies, follow the on-screen instructions.

Depending on the number of existing policies, this can take up to an hour. During this time, do not restart the
server or any of the services.

3) Click Deploy.

Upgrading Forcepoint DLP | 12

Forcepoint DLP 10.3 | Upgrade Guide

Complete post-upgrade steps on the

management server
After the upgrade process completes successfully, perform the following steps:

Steps
1) Log on to the management server machine with Administrator permissions.

2) To re-register all other components to the management server, run the appropriate installer on each host
machine (see section Upgrade supplemental servers and Windows-based agents).

3) Log into the Forcepoint Security Manager.

4) If applications were removed from the predefined endpoint application groups prior to the upgrade, go to the
Main > >Resources > Endpoint Application Groups page and remove them again.

5) After upgrading all components, click Deploy in the Security Manager.

Related tasks
Upgrade supplemental servers and Windows-based agents on page 13

Upgrade supplemental servers and

Windows-based agents
To upgrade a supplemental Forcepoint DLP server or a Windows-based standalone agent to v10.3:

Steps
1) Launch the Forcepoint Security Installer, Forcepoint Infrastructure. The software is detected, and the
upgrade wizard appears.

2) Click Next until the wizard is completed.

Forcepoint DLP components found on this machine from a supported previous version are upgraded.

Upgrading Forcepoint DLP | 13

Forcepoint DLP 10.3 | Upgrade Guide

3) Complete the upgrade process by deploying changes in the Forcepoint Security Manager. As a best practice,
finish upgrading all components, then log into the Forcepoint Security Manager and deploy all of the changes
at once.

Note
Wait until the upgrade process is completed. It takes time for downloading the information
necessary for resolving source and destination resources such as people, computers, and
printers. Routing traffic through the system before completing the upgrade process may cause
Potential false positives and File-system discovery problems, where the discovery starts but
immediately fails.

Upgrade protectors
There are two types of Protectors:
■ Appliance-based Protector
■ Forcepoint DLP Protector software
Protectors can be upgraded from v8.9.x and later.

Prepare to upgrade the Appliance based

Protector
Steps to be taken before upgrading the protector.
Use these steps if the protector is at v8.9.x or later.
To download the upgrade script on the protector machine, complete the below steps:

Steps
1) Navigate to [Link] and log in.

2) Click Downloads in the menu bar at the top of the page.

3) Under Products, select Data Loss Prevention (DLP).

4) Select the DLP Core link.

5) Click Forcepoint DLP Appliance Upgrade Script from 8.9.x or 9.0.0 or 10.0.0, 10.1.0, or 10.2.0 to 10.3.0
from the Installers list.

6) On the Product Installer page, click the Download link near the bottom of the page.

7) When the download is complete, unzip the [Link] file.

8) Copy the resulting file, protector-update-103-yyyy, to the directory /tmp directory. Here, yyyy is the latest
build number, such as 103-3456.

Upgrading Forcepoint DLP | 14

Forcepoint DLP 10.3 | Upgrade Guide

Upgrade the Appliance based Protector

To run the upgrade script:

Steps
1) Enter the following command:
chmod +x /tmp/protector-update-103-yyyy

2) Enter the following command:

bash /tmp/protector-update-103-yyyy

3) Answer Y on the “Are you sure?” question, and complete the wizard, accepting the defaults.

4) Restart the protector machine when the wizard completes.

5) Deploy changes to complete the upgrade process. See section Deploy settings.

Note
Wait until the upgrade process is completed. It takes time to download the information
necessary for resolving source and destination resources such as people, computers, and
printers. Routing traffic through the system before completing the upgrade process may result in
false positives.

Related concepts
Deploy settings on page 12

Upgrade the Forcepoint DLP Protector

software
If your deployment includes the Forcepoint DLP Protector software package, the upgrade process differs slightly
from that described in Upgrade the appliance based protector. Use the following steps to upgrade the Protector
software package.

Steps
1) Navigate to [Link] and log in.
a) Click Downloads in the menu bar at the top of the page.

b) Under Products, select Data Loss Prevention (DLP).

c) Select the DLP Core link.

d) Select Forcepoint DLP Network appliance software package (Protector) in the list of installers.

Upgrading Forcepoint DLP | 15

Forcepoint DLP 10.3 | Upgrade Guide

e) On the Product Installer page, click the Download link near the bottom of the page.

2) Log in to the installation machine as root and copy the installation file into the Protector’s /tmp directory.

3) Run the following command:

chmod +x /tmp/ForcepointDLP103ApplianceSoftwarePackage

4) Execute ForcepointDLP103ApplianceSoftwarePackage

5) Complete the wizard.

6) Restart the Protector.

Migrating Protector from CentOS7 to

Red Hat Enterprise Linux 8 (RHEL8)
Perform the steps in the following sections to migrate the CentOS7 Protector with RHEL8 Protector.

Pre-migration requirements
Before migrating the Protector from CentOS7 to RHEL8, complete the pre-migration requirements in this section.

Steps
1) Stop all traffic from the customer side to the Protector.

2) Shut down the Protector with CentOS7 to be replaced.

3) Perform the following only for Forcepoint DLP Protector software.

a) Run the yum update command on the RHEL8 machine.

b) Install the following packages:

glibc python2 python3 perl postfix rpm rpm-libs libproxy ipcalc python3-ply libX11 libXft
fontconfig gsettings-desktop-schemas chrony network-scripts

4) Replace the IP Address and the hostname of the RHEL8 machine with the IP Address and the hostname of
the Protector with CentOS7.

5) Reboot the RHEL8 machine.

Upgrading Forcepoint DLP | 16

Forcepoint DLP 10.3 | Upgrade Guide

6) Before installing the Protector, follow the Pre-installation requirements mentioned in Forcepoint DLP
Installation guide.

Installation of the Forcepoint DLP Protector

software package
Steps
1) Use the steps for Installing Forcepoint DLP Protector software package given in the Forcepoint Installation
guide.
After installation, traffic to the new installed protector can be resumed.

Post-migration steps
After migrating the protector, perform the following steps.

Steps
1) Keep the replaced CentOS7 machine turned off or delete it.

Updating configuration file

After upgrading of all DLP components on the DLP system, complete the following steps to handle vulnerability
during upgrading to PolicyEngine 10.3 on Linux.

Note
This section is only applicable to the Linux system.

Steps
1) Go to %DSS_HOME%\policies_store\policies\config_files\

2) Open [Link] file.

Upgrading Forcepoint DLP | 17

Forcepoint DLP 10.3 | Upgrade Guide

3) If the following snippet is present in the [Link] file, then delete the snippet from the file.

<fileType id="291">
<!-- XML_FMT -->
<textExtractors>
</textExtractors>
<binaryExtractors>
<name>XML</name>
</binaryExtractors>
<metadataExtractors/>
</fileType>

4) Save [Link] file.

5) Perform the same steps for [Link] l

6) Make a ‘fake deploy’ by changing the severity of one of the rules and click No on the Deployment Needed
screen.

7) Then select the original severity of this rule and click Yes on the Deployment Needed screen to deploy the
changes.

Obtaining updates in enabled Policy/

Rules
Note
The new DLP v10.3 includes updated predefined DLP Policies/Rules and Classifiers. A list of the
these updated policies/rules can be viewed in the Release Notes. To get the benefits of these
updates, make sure to re-add them in your current DLP ruleset on FSM (Forcepoint Security
Manager).

To get the updated content related to the enabled Rules/Policies after upgrading, the Policies/Rules need to re-
added.
There are 2 ways to add the updated Policies/Rules:
■ Removing the existing Policies/Rules and re-adding it to FSM (Forcepoint Security Manager).
■ Adding the Policy/Rule again.
In order to avoid Policy/Rule override, the re-added and updated Policy/Rule will appear in the FSM with the
addition of its version, e.g. "<Policy Name>_1"

Data Protection Service

This section is applicable to users with a Cloud Applications license, who upgrade from versions earlier than
Forcepoint DLP 8.8.1.

Upgrading Forcepoint DLP | 18

Forcepoint DLP 10.3 | Upgrade Guide

If you are not yet connected to the Data Protection Service, you must connect using a Data Protection Service
JSON configuration file. Request this file from Forcepoint Technical Support before upgrading to Forcepoint DLP
10.3.
To support cloud channels, DLP Cloud Applications must be activated. For more information, see Forcepoint DLP
Administrator Help.

Configuring Data Protection Service

Use the Data Protection Service tab of the Settings > General > Services page to connect to the Data
Protection Service. This is done by uploading tenant information from the JSON file you received from
Forcepoint. Note that each time a file is uploaded, the system resets as if this is the first connection:

Steps
1) Click Select File, and in the dialog box that appears, click Choose File. Browse to the JSON file you
received from Forcepoint, and then click OK.
The file is uploaded to the server, and the information begins to appear in the Connection area of the Data
Protection Service tab.

2) Click Connect to establish the connection with the Data Protection Service:

3) Click Deploy to begin enforcing policies in cloud channels.

4) Click OK at the bottom of the screen to complete the process.

When the connection is active, the Connect button turns into a Disconnect button, enabling disconnection
of Data Protection Service from Forcepoint DLP.
In the Data Protection Service Status area, upon successful connection, the status is marked as Connected
successfully, the time and date of the connection are displayed, and the Recheck connection link is
enabled. This link is used to check the connection status in the event of problems. If an error is returned
upon checking the connection, the status is listed as Failed to connect.
After a successful connection to the Data Protection Service is established, do the following to ensure the
service is working properly:

a) Deploy a policy to the Data Protection Service.

b) Check the incident report to make sure incidents are analyzed by Data Protection Service and not any
other system component.

Note
As part of the integration with the Forcepoint Web Security Cloud, URL categories can now be
imported from the Forcepoint Web Security Cloud Portal. See Forcepoint DLP Administrator
Help for more information.

Error handling
■ If Data Protection Service shows the status “Failed to connect”, the module is temporarily unavailable. Click
Connect or Recheck Connection to try to connect again. If the problem continues, contact Forcepoint
Technical Support.

Upgrading Forcepoint DLP | 19

Forcepoint DLP 10.3 | Upgrade Guide

■ If the JSON file is uploaded for the first time, and when you click Connect, the connection fails, the status
shown is “Never connected”. This is because the Forcepoint Security Manager has never successfully
connected to the Data Protection Service. Contact Forcepoint Technical Support for assistance.
■ If you receive the following message in the Data Protection Service Status area:
This service is not connected to Forcepoint CASB. Incident reporting and policy enforcement will be affected for
cloud channels. See “Explain this page” for more information.
This means that there is a connection issue, and DLP Cloud API and Cloud Data Discovery channels will not
enforce DLP policies, and the DLP Cloud Proxy channel might not report incidents to the Forcepoint Security
Manager. See Forcepoint DLP Administrator Help, “Error handling” section for more information.

Re-enabling fingerprint classifiers

A customer with a version earlier than 8.9.1, who already uses fingerprint classifiers and upgrades directly to
Forcepoint DLP 10.3 (for example, from DLP 8.9.1 to DLP 10.3), must perform a re-activation, as explained
below. Until the activation is done, only files fingerprinted after the upgrade are protected.

Steps
1) To analyze structured data: Run a full scan (manually or by scheduler).

2) To analyze unstructured data, you must recreate the fingerprinting database (FPNE files) as follows:
a) Go to the DLP installation folder %DSS_HOME%

b) Run the following command to rebuild the fingerprinting database:

FPRUtils -o UnstructuredInsertion -Command RecreateFPNE
It can take about 10 minutes to rebuild the fingerprinting database, depending on the size and number of
fingerprints. It can also take an additional 10 minutes or so to automatically upload the fingerprints to the
cloud.

Upgrading Forcepoint DLP | 20

Chapter 3
Appendix B: Upgrading the
Maintenance Release
You can upgrade the maintenance version by installing a newer version of the maintenance release. When you install
a new maintenance release, the existing files from the previous version will be replaced with the updated files from the
new release. When you upgrade to a new General Availability(GA) version, the maintenance release versions will be
uninstalled during the process and the base version is changed to the new GA version.
The maintenance release installers must be executed using the same service user that was used to install the product.
For information on installing maintenance release files, see Forcepoint DLP Install Guide v10.3.

For details on specific maintenance releases, refer to the corresponding release notes in the table.

Forcepoint DLP Maintenance Release Version Release Note

10.3.1 Forcepoint DLP Release Notes v10.3.1

Appendix B: Upgrading the Maintenance Release | 21

Forcepoint DLP 10.3 | Upgrade Guide

Appendix B: Upgrading the Maintenance Release | 22

© 2025 Forcepoint