The Management Server can remotely upgrade engine components that it manages.
Before you begin
Read the Release
Notes for the new version, especially the required SMC version and any other version-specific upgrade issues
that might be listed. To access the release notes, select
Configuration, then browse to . Select the type of engine you are upgrading. A link to the release notes is included in the upgrade file’s information. If the Management Server has no Internet
connectivity, you can find the release notes at https://support.forcepoint.com/Documentation.
CAUTION:
If
McAfee Endpoint Intelligence Agent (McAfee EIA) is configured on the
NGFW Engine when you
upgrade to version 6.3 or later, the
NGFW Engine node is returned to the initial configuration state and stops processing traffic. You
must remove the
McAfee Endpoint Intelligence Agent (McAfee EIA) configuration and refresh the policy before you upgrade to version 6.3 or later. For more information, see
Knowledge Base article 14093.
You can upgrade several engines of the same type in the same operation. However, we recommend that you upgrade clusters one node at a time and wait until an upgraded node is back online before you upgrade the other nodes. Clusters operate normally throughout the upgrade when the upgrade is done in stages. However, it is recommended to upgrade all nodes in the cluster to the same version as soon as possible. Prolonged use with mismatched versions is not supported. It is not possible to have 32-bit and 64-bit engines online in the cluster at the same time.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Select Home.
-
Browse to Engines, then expand the nodes of the engine that you want to upgrade.
-
Right-click the node you want to upgrade, then select
.
-
(Optional) Enter an
Audit Comment to be shown in the audit log entry that is generated when you send the command to the engine.
-
Click
Yes.
The engine is turned offline shortly.
-
Right-click the node you want to upgrade, then select
Upgrade Software or
depending on your selection.
Note: You cannot upgrade Virtual NGFW Engines directly. To upgrade Virtual NGFW Engines, you must upgrade the Master NGFW Engine that hosts the Virtual NGFW Engines.
-
Select the type of
Operation you want to perform:
- Select
Remote Upgrade (transfer + activate) to install the new software and reboot the node with the new version of the software.
- Select
Remote Upgrade (transfer) to install the new software on the node without an immediate reboot and activation. The node continues to operate with the currently installed version until you choose to activate the new version.
- Select
Remote Upgrade (activate) to reboot the node and activate the new version of the software that was installed earlier.
CAUTION:
To avoid an outage, do not activate the new configuration simultaneously on all nodes of a cluster. Activate the new configuration one node at a time, and proceed to the next node only after the previous node is back online.
-
If necessary, add or remove
Target engines.
All engines in the same Upgrade Task must be of the same type.
-
Select the correct
Engine Upgrade file, then click
OK.
If you choose to activate the new configuration, you are prompted to acknowledge a warning that the node will be rebooted. A new tab opens showing the progress of the upgrade. The time the upgrade takes varies depending on the performance of your system and the network environment. The engine is automatically rebooted and brought back online.
The upgrade overwrites the inactive partition and then switches the active partition. To undo the upgrade, use the
sg-toggle-active command or the engine’s boot menu to switch back to the previous software version on the other partition. This switch can also happen automatically at the next reboot if the engine is not able to successfully return to operation when it boots up after the upgrade.
Note: The Management Server verifies the digital signature of the upgrade package before installing it. The signature must be
valid for the upgrade to succeed. If the verification fails, an error message is shown. Verification failure can result from
an out-of-date SMC version or an invalid or missing signature.