Getting started with upgrading NGFW Engines

You can remotely upgrade engines using the Management Client or locally on the engine command line.

Remote upgrade is recommended in most cases. See the Forcepoint Next Generation Firewall Installation Guide for detailed instructions if you want to upgrade engines locally.

How engine upgrades work

The upgrade package is imported to the Management Server manually or automatically. Before the import, the Management Server verifies the digital signature of the upgrade package using a valid Trusted Update Certificate. The signature must be valid for the import to succeed. Verification failure can result from an out-of-date SMC version, in which case the SMC must be upgraded, or an invalid or missing signature, in which case the administrator must obtain an official upgrade package.

After the upgrade package has been imported, you can apply it to selected engines through the Management Client. Before the upgrade is installed on the engines, the Management Server verifies the digital signature of the upgrade package. Also the engines verify the digital signature of the upgrade package before the upgrade is installed. Upgrade package digests are calculated using an SHA-512 hash and signed with an ECDSA key.

The engines have two alternative partitions for the software. When you install a new software version, it is installed on the inactive partition and the current version is preserved. This allows rollback to the previous version in case the installation is interrupted or other problems arise. If the engine is not able to return to operation after the upgrade, it automatically switches back to the previous software version at the next restart. You can also switch the active partition manually.

You can upload and activate the new software separately. For example, you can upload the upgrade during office hours but activate it during a service window.

The currently installed working configuration (routing, policies) is stored separately and is not changed in an upgrade or a rollback. Although parts of the configuration can be version-specific (for example, if system communications ports are changed), the new software version can use the existing configuration. Possible version-specific adjustments are made when you refresh the policy after the upgrade.

Limitations

It is not possible to upgrade between a 32-bit version and a 64-bit version of the software. If you are running the software on third-party hardware, you can reinstall the software using the other version. In clusters, 32-bit and 64-bit nodes cannot be online simultaneously. Appliances support only the software architecture version that they are pre-installed with.

You cannot upgrade Virtual NGFW Engines directly. To upgrade Virtual NGFW Engines, you must upgrade the Master NGFW Engine that hosts the Virtual NGFW Engines.

What do I need to know before I begin?

The SMC must be up to date before you upgrade the engines. An old SMC version might not be able to recognize the new version engines and can generate an invalid configuration for them. The Management Server can control several older versions of engines. See the Release Notes for version-specific compatibility information.

During a cluster upgrade, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. This way, you can upgrade the nodes one by one while the other nodes handle the traffic. However, you must upgrade all nodes to the same version as soon as possible, as prolonged use with mismatched versions is not supported.

The current engine version is displayed on the General tab in the Info pane when you select the engine. If the Info pane is not shown, select Menu > View > Info.