Upgrade engines remotely

The Management Server can remotely upgrade engine components that it manages.

Before you begin

Read the Release Notes for the new version, especially the required SMC version and any other version-specific upgrade issues that might be listed. To access the release notes, select Configuration, then browse to Administration > Other Elements > Engine Upgrades. Select the type of engine you are upgrading. A link to the release notes is included in the upgrade file’s information. If the Management Server has no Internet connectivity, you can find the release notes at https://⁠support.forcepoint.com/Documentation.

If McAfee Endpoint Intelligence Agent (McAfee EIA) is configured on the NGFW Engine when you upgrade to version 6.3 or later, the NGFW Engine node is returned to the initial configuration state and stops processing traffic. You must remove the McAfee Endpoint Intelligence Agent (McAfee EIA) configuration and refresh the policy before you upgrade to version 6.3 or later. For more information, see Knowledge Base article 14093.

You can upgrade several engines of the same type in the same operation. However, we recommend that you upgrade clusters one node at a time and wait until an upgraded node is back online before you upgrade the other nodes. Clusters operate normally throughout the upgrade when the upgrade is done in stages. However, it is recommended to upgrade all nodes in the cluster to the same version as soon as possible. Prolonged use with mismatched versions is not supported. It is not possible to have 32-bit and 64-bit engines online in the cluster at the same time.

  For more details about the product and how to configure features, click Help or press F1.


  1. Select Home.
  2. Browse to Engines, then expand the nodes of the engine that you want to upgrade.
  3. Right-click the node you want to upgrade, then select Commands > Go Offline.
  4. (Optional) Enter an Audit Comment to be shown in the audit log entry that is generated when you send the command to the engine.
  5. Click Yes.
    The engine is turned offline shortly.
  6. Right-click the node you want to upgrade, then select Upgrade Software or Configuration > Upgrade Software depending on your selection.
    Note: You cannot upgrade Virtual NGFW Engines directly. To upgrade Virtual NGFW Engines, you must upgrade the Master NGFW Engine that hosts the Virtual NGFW Engines.
  7. Select the type of Operation you want to perform:
    • Select Remote Upgrade (transfer + activate) to install the new software and reboot the node with the new version of the software.
    • Select Remote Upgrade (transfer) to install the new software on the node without an immediate reboot and activation. The node continues to operate with the currently installed version until you choose to activate the new version.
    • Select Remote Upgrade (activate) to reboot the node and activate the new version of the software that was installed earlier.
    To avoid an outage, do not activate the new configuration simultaneously on all nodes of a cluster. Activate the new configuration one node at a time, and proceed to the next node only after the previous node is back online.
  8. If necessary, add or remove Target engines.
    All engines in the same Upgrade Task must be of the same type.
  9. Select the correct Engine Upgrade file, then click OK.

    If you choose to activate the new configuration, you are prompted to acknowledge a warning that the node will be rebooted. A new tab opens showing the progress of the upgrade. The time the upgrade takes varies depending on the performance of your system and the network environment. The engine is automatically rebooted and brought back online.

    The upgrade overwrites the inactive partition and then switches the active partition. To undo the upgrade, use the sg-toggle-active command or the engine’s boot menu to switch back to the previous software version on the other partition. This switch can also happen automatically at the next reboot if the engine is not able to successfully return to operation when it boots up after the upgrade.

    Note: The Management Server verifies the digital signature of the upgrade package before installing it. The signature must be valid for the upgrade to succeed. If the verification fails, an error message is shown. Verification failure can result from an out-of-date SMC version or an invalid or missing signature.