Releasing Capture Client 3.6

Description

In November 2020, Capture Client 3.5 was released to brand new SonicWall customers and any SonicWall Customers that did not have any active Capture Client subscriptions at the time. This article explains how SonicWall plans to release Capture Client 3.6 by upgrading customers running Capture Client 3.5 and migrating customers running Capture Client 3.1.

Cause

Capture Client 3.5 introduced significant schematic and design changes and thus it was not trivial to simply "upgrade" tenants from Capture Client 3.1 to Capture Client 3.5, without sufficient testing and validation.

Resolution

Latest Updates:

===================================================================

Capture Client 3.6 will extend the new policy management and dashboard features introduced in Capture Client 3.5 to all of our customers. This will involve an upgrade of clients, as well as automatic migration of policies, groups and configurations to the new schema. The release will happen between 12am on a Saturday and 12am on the following Tuesday US Pacific Time hours (henceforth referred to as “release window”). The release window will be communicated to Capture Client customers via email with a reminder 1 week ahead of schedule. This is mandatory upgrade for all Capture Client customers, following which all older version of Capture Client will move to End of Support, per the Product Lifecycle.

 

Are there any new features in Capture Client 3.6?

  • Supporting macOS BigSur on Apple desktops and laptops running Intel chipsets (support for ARM-based processors will follow shortly thereafter)
  • Extending the policy management and dashboard features introduced in Capture Client 3.5 to all customers
  • Offering global operations capabilities to all eligible MSSP partners 

 

Will this release interrupt Capture Client operations?

All endpoints protected by Capture Client and the SentinelOne engine before the release window will remain protected, based on the last policy applied to them. Any configured email notifications will continue to be delivered during the release window. However the Capture Client console will remain inaccessible during the release window for any operations. In addition, we highly recommend that administrators avoid any operations on Capture Client products in MySonicWall (including new activations, renewals, upgrades, license sharing, user group updates and deletions) as they may fail to complete successfully or may not be migrated to Capture Client 3.6. If any urgent actions are needed, please contact Support. 

 

Is any action required by Capture Client administrators prior to the release window?

  • Right before the release window, administrators should verify that all protected endpoints are online and communicating to the console. Any obsolete devices should be removed from the inventory for hygiene.
  • Certain settings will not be migrated during the release window (see the end of this article). It is recommended to review your policy settings and modify them accordingly. Please reach out to SonicWall Support for any assistance.
  • It is highly recommended that all Capture Client policies be configured with SonicWall-Managed (Latest or General Release) versions to minimize post-release actions

 

What action is required to upgrade clients to Capture Client 3.6?

  • Capture Client 3.6 will be released as a SonicWall-Managed Latest Release and a SonicWall-Managed General Release.
  • Please review this KB article for actions required and FAQs

 

How should i troubleshoot issues with my Capture Client 3.6 Upgrade?

  1. If the client is showing up as "Unlicensed" and has created duplicate entries in the CC 3.6 Devices list for our tenant.
    1. Login to the CC 3.6 console
    2. Navigate to Protect -> Devices
    3. Filter Devices to show only "Offline" devices
    4. Select all Devices and use the Bulk action menu to "Decommission" these devices
    5. Once this is completed, then Select all Devices and use te Bulk action menu to "Delete" these devices
    6. Monitor your CC 3.6 endpoints and make sure they are coming back online
  2. I have used Self-Managed policies to upgrade my endpoints to CC 3.6.24 but they haven't upgraded
    1. Ensure the endpoints are online
    2. Logout and Login to the Endpoint. If that doesn't work, reboot the Endpoint
    3. Alternatively, navigate to the Devices page and apply the Device action "Upgrade Client" to manually upgrade the endpoint
  3. My Linux endpoints have not automatically upgraded
    1. Please review this KB article to see how to upgrade Linux endpoints. 

 

Will I be able to use the Capture Client 3.1 or 3.5 management consoles?

  • Administrators will be able to log back ito the Capture Client 3.1 and Capture Client 3.5 consoles - however some features (e.g. Dashboards, Statistics and Reporting) may not work as expected. 
  • It is recommended that you log into Capture Client 3.1 or Capture Client 3.5 only for the purpose of using policies or device actions to upgrade all our clients. 
  • Important: The Capture Client 3.1 management console (https://captureclient.sonicwall.com) will remain be decommissioned and will no longer be available after June 20th 2021.

 

How do I get access to the management console for Capture Client 3.6?

  • The Capture Client 3.6 management console will be available at https://captureclient-36.sonicwall.com. 
  • Admins who accessed the Capture Client management console for 3.1 or 3.5 directly, you will now need to navigate to this new URL
  • Admins who login to the console via Capture Security Center (https://cloud.sonicwall.com) will be redirected automatically when the click on the Capture Client tile

 

How is this release different if I am running Capture Client 3.1 or Capture Client 3.5?

  • For customers running Capture Client 3.5, this is a standard upgrade with the introduction of the new features mentioned above.
  • For customers running Capture Client 3.1, policies, groups and configurations will be migrated to the new schema and design. However there will no changes to the effective policies applied to your endpoints.

 

How will Capture Client 3.1 policies, groups and policy assignment rules be migrated?

Default Capture Client Policy
  • Migrate the Agent Settings of the Default CC Policy to the Tenant Client Policy
  • Copy Auto-decommission and Auto-delete settings from Tenant Settings
  • Migrate associated Threat Protection policies, Web Content Filtering polices, Trusted Certificate policies per Table Below
  • Migrate Blacklists, Exclusions, Device Control rules and Allowed Websites per Table Below
  • Copy the version GUID used - SonicWall-Managed / Self-Managed and GEneral / Latest Release.
    • If a SonicWall-Managed General Release is used, the version for Linux will be left blank
    • If it is configured to a Self-Managed release prior to 3.1.5 / 3.5.19, the entry will be left blank in the new policy
Every Group that has 1 or more Capture Client Policies assigned
  • Create a matching group (dynamic/static) with matching assignment rules/members
  • From assigned policies, select the CC Policy with the highest priority as the "Effective CC Policy"
  • Migrate Agents Settings of the "Effective CC Policy" to the Group Client Policy
  • Copy Auto-decommission and Auto-delete settings from Tenant Settings
  • Migrate associated Threat Protection policies, Web Content Filtering polices, Trusted Certificate policies per Table Below
Every Capture Client Policy that is NOT assigned to any group
  • Create a Static Device Group using the Policy Name and the CC serial number - e.g. if Policy is Test-Policy and tenant serial number is CC12345678, then the Static Group name should be Test-Policy-CC12345678
  • Leave members of Static Device Group as EMPTY
  • Migrate Agents Settings of the Capture Client Policy to the Group Client Policy
  • Copy Auto-decommission and Auto-delete settings from Tenant Settings
  • Migrate Sub-Policies, Settings and Configurations per Table below

 

How will Capture Client 3.1 Threat Protection, Trusted Certificate and Web Content Filtering Policies be migrated?

Threat Protection Policy
  • Copy the Engine Settings, and Protection Modes to Threat Protection Policy
  • Copy the Policy-specific Exclusions & Blacklists to Exclusions & Blacklists respectively
  • Copy the Device Control Settings and rules to the Device Control Policy
  • Copy the version GUID used - SonicWall-Managed / Self-Managed and GEneral / Latest Release
    • If a SonicWall-Managed General Release is used, the version for Linux will be left blank
    • If it is configured to a Self-Managed release prior to 4.1.x, the entry will be left blank in the new policy
Trusted Certificate Policy
  • If Trusted Certificate Policy is assigned, copy over settings and assigned certificate
Web Content Filtering Policy
  • If WCF Policy is assigned, then enabled WCF on tenant scope WCF Policy and copy settings over

 

How will Capture Client 3.1 Global Exclusions, Blacklists, Device Control Rules and Allowed Websites be migrated?

Global Exclusions and BlacklistsCopy the Global Exclusions and Blacklists entries to the Tenant Exclusion and Blacklist Policies  
Global Device Control RulesCopy the Global Device Control Settings and rules to the Tenant Device Control Policy
Global Allowed Web SitesCopy the entries to the Tenant and Group Policies for Web Content Filtering

 

Will any configurations not be migrated to Capture Client 3.6?

Due to the nature of the change in design and schema, certain configurations will not be migrated over to Capture Client 3.6. Please review your environments carefully and take the recommended actions ahead of the release window.

Configuration SettingRecommended Customer Action
Sub-policies not Assigned to CC policies
  • No action required if sub-policy is not required
  • If sub-policy is required, assign to a CC Policy
Capture Client Policies explicitly assigned to Users (and not User Groups)
  • No action required if user assignment is not required
  • If user assignment is required,
    • Create Static User Group and add assigned users for Capture Client policy to the group
    • Assign the Capture Client policy to the Static User Group
Any Group that has no Assigned policies
  • No action required if group is not required
  • If this group is required, assign a CC Policy to the group

Related Articles

  • ConnectWise Manage (Legacy) Integration - Frequently Asked Questions
    Read More
  • SentinelOne agent command line tool
    Read More
  • Capture Client Agent Return Codes - Phase 1
    Read More

Categories

Endpoint Security
Capture Client
not finding your answers?
Ask the Community
was this article helpful?
YesNo