The Management Server can remotely upgrade NGFW Engine components that it manages.
Before you begin
Read the Release
Notes for the new version, especially the required SMC version and any other
version-specific upgrade issues that might be listed. To access the release notes, select
Configuration, then browse to . Select the type of NGFW Engine you are upgrading. A link to the release notes is included in the upgrade file’s
information. If the Management Server has no Internet connectivity, you can find the release notes at https://support.forcepoint.com/Documentation.
CAUTION:
If
McAfee Endpoint Intelligence Agent (McAfee EIA) is configured on the
NGFW Engine when you
upgrade to version 6.3 or later, the
NGFW Engine node is returned to the initial configuration state and stops processing traffic. You
must remove the
McAfee Endpoint Intelligence Agent (McAfee EIA) configuration and refresh the policy before you upgrade to version 6.3 or later. For more information, see
Knowledge Base article 14093.
You can upgrade several NGFW Engines of the same type in the same operation. However, we recommend
that you upgrade clusters one node at a time and wait until an upgraded node is back online before you upgrade the other nodes. Clusters operate normally throughout the upgrade when
the upgrade is done in stages. However, it is recommended to upgrade all nodes in the cluster to the same version as soon as possible. Prolonged use with mismatched versions is not
supported. It is not possible to have 32-bit and 64-bit NGFW Engines online in the cluster at the same time.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Select Home.
-
Browse to Engines, then expand the nodes of the NGFW Engine that you want to upgrade.
-
Right-click the node that you want to upgrade, then select .
-
(Optional) Enter an Audit Comment to be shown in the audit log entry that is generated when you send the command to the NGFW Engine.
-
When prompted to confirm that you want to set the node offline, click Yes.
The node goes offline shortly.
-
When the node is offline, right-click the node, then select Upgrade Software or depending on your selection.
Note: You cannot upgrade Virtual NGFW Engines directly. To upgrade Virtual NGFW Engines,
you must upgrade the Master NGFW Engine that hosts the Virtual NGFW Engines.
-
From the Operation drop-down list, select the type of operation that you want to perform:
- Select Remote Upgrade (transfer + activate) to install the new software and reboot the node with the new version of the software.
- Select Remote Upgrade (transfer) to install the new software on the node without an immediate reboot and activation. The node continues to operate
with the currently installed version until you choose to activate the new version.
- Select Remote Upgrade (activate) to reboot the node and activate the new version of the software that was installed earlier.
CAUTION:
To avoid an outage, do not activate the new configuration simultaneously on all nodes of a cluster. Activate the new configuration one node at a time, and
proceed to the next node only after the previous node is back online.
-
If necessary, add or remove NGFW Engines in the Target list.
All NGFW Engines in the same Upgrade Task must be of the same type.
-
Click Select next to the Engine Upgrade field, select the upgrade file, then click
OK.
If you choose to activate the new configuration, you are prompted to acknowledge a warning that the node will be rebooted. A new tab opens showing
the progress of the upgrade. The time the upgrade takes varies depending on the performance of your system and the network environment. The NGFW Engine is automatically rebooted and brought back online.
The upgrade overwrites the inactive partition and then changes the active partition. To undo the upgrade, use the
sg-toggle-active command or the NGFW Engine’s boot menu to change back to the previous software version
on the other partition. This change can also happen automatically at the next reboot if the NGFW Engine is not able to
successfully return to operation when it boots up after the upgrade.
Note: The Management Server verifies the digital signature of the upgrade package before installing it. The signature must be valid for the upgrade to succeed. If the verification
fails, an error message is shown. Verification failure can result from an out-of-date SMC version or an invalid or missing
signature.