Configure automatic updates and upgrades

There are several options for handling automatic updates and engine upgrades.

Before you begin

You must have a valid maintenance or support contract.
Automatic dynamic updates and engine upgrades require the Management Server to be able to connect to https://⁠smc-pool.stonesoft.com and to one of the following services using HTTPS on port 443:
- CDN dynamic update service at https://⁠autoupdate.ngfw.forcepoint.com
- Legacy dynamic update service at https://⁠update-pool.stonesoft.com

The Management Server can periodically check for new dynamic update packages, engine upgrades, and licenses. This feature is active by default. In an environment with multiple Management Servers, automatic updates and upgrades must be enabled on the active Management Server (the Management Server that controls all Domains).

Update Service elements define sets of URLs for automatic dynamic updates and engine upgrades. You can optionally change which Update Service element is used for automatic dynamic updates and engine upgrades.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Menu > System Tools > Global System Properties.
On the Updates tab, select Allow Sending License and Installation Telemetry Data to Forcepoint Servers.
Selecting this option allows you to select settings for dynamic updates and for engine and license upgrades.
Configure the Dynamic Updates settings.

Note: Because update packages can change system elements, the policies might require editing after update activation.
Select one of the Remote Upgrades for Engines settings.
(Optional) Select Generate and Install New Licenses Automatically to automatically regenerate and install the licenses required for upgrading SMC components to a major new release.
(Optional) Select the Update Check Interval to define how often the SMC checks for new updates.
Click OK.

Global System Properties dialog box — Updates tab

Use this tab to define settings for dynamic updates, engine upgrades, and licenses.

Note: Telemetry data is collected when SMC version 6.5 or higher connects to the Forcepoint NGFW Updates and Upgrades service at https://⁠autoupdate.ngfw.forcepoint.com/dynup.rss. For more information, see Knowledge Base article 19213.

Option	Definition
Allow Sending License and Installation Telemetry Data to Forcepoint Servers	When selected, allows the Management Server to send information about the installed components and licenses to the Forcepoint NGFW Updates and Upgrades service. You must select this option to configure settings for dynamic updates, and engine and license upgrades.
View Telemetry Data	Shows the telemetry data that is collected when SMC version 6.5 or higher connects to the Forcepoint NGFW Updates and Upgrades service.
Dynamic Updates	Specifies the dynamic updates options: Do Not Check for Updates. You are not notified of new dynamic updates. Notify When Updates Become Available. You receive an alert when a new dynamic update becomes available. You must manually download and activate the update. Notify and Automatically Download Updates. You receive an alert when a new dynamic update becomes available. The SMC also automatically downloads the update. You must manually activate the update. Automatically Download and Activate Updates The SMC automatically downloads and activates the new dynamic updates.
Update Service	Specifies the update service that is used for automatic dynamic updates. Click Select to select an element. Default Dynamic Update Service — Includes both the new https://⁠autoupdate.ngfw.forcepoint.com/dynup.rss URL and the legacy https://⁠update-pool.stonesoft.com/index.rss URL. If the new service is not available, automatic dynamic updates automatically use the legacy service. By default, this Update Service element is used for automatic dynamic updates. Legacy Dynamic Update Service — Includes only the legacy https://⁠update-pool.stonesoft.com/index.rss URL. This Update Service element is intended primarily for backward compatibility. CDN Dynamic Update Service — Includes only the new https://⁠autoupdate.ngfw.forcepoint.com/dynup.rss URL. This Update Service element is intended primarily for testing connectivity to the new URL.
Notify When Updates Have Been Activated (Optional)	You receive an alert when the dynamic updates have been activated. This option becomes available when you select Automatically Download and Activate Updates. You must refresh the policies before the updates take effect. If Refresh Policies After Update Activation is selected, the policies are refreshed automatically. Otherwise, you must refresh the policies manually.
Refresh Policies After Update Activation (Optional)	The SMC automatically refreshes the policies after activating the dynamic updates. This option becomes available when you select Automatically Download and Activate Updates.
Remote Upgrades for Engines	Specifies new engine upgrade options: Do Not Check for Engine Upgrades. You are not notified of new engine upgrades. Notify When Engine Upgrades Become Available. You receive an alert when a new engine upgrade becomes available. You must manually download and install the update. Notify and Automatically Download Engine Upgrades. You receive an alert when a new engine upgrade becomes available. The SMC automatically downloads the new engine upgrade. You must manually install the update.
Upgrade Service	Specifies the upgrade service that is used for automatic engine upgrades. Click Select to select an element. Default Upgrade Service — Includes both the new https://⁠autoupdate.ngfw.forcepoint.com/ngfw.rss URL and the legacy https://⁠update-pool.stonesoft.com/index.rss URL. If the new service is not available, automatic engine upgrades automatically use the legacy service. By default, this Update Service element is used for automatic engine upgrades. Legacy Upgrade Service — Includes only the legacy https://⁠update-pool.stonesoft.com/index.rss URL. This Update Service element is intended primarily for backward compatibility. CDN Upgrade Service — Includes only the new https://⁠autoupdate.ngfw.forcepoint.com/ngfw.rss URL. This Update Service element is intended primarily for testing connectivity to the new URL.
Generate and Install New Licenses Automatically (Optional)	When selected, automatically regenerates and installs the licenses required for upgrading SMC components to a major new release.
Check for Updates	Specifies how often to check for updates.

Update Service Properties dialog box

Use this dialog box to show the properties of the default Update Service elements.

Option	Definition
Name	The name of the element.
TLS Profile	Shows the selected TLS Profile element.
TLS Server Identity	Shows the configured TLS Server identity.
Time-Out	Shows the time-out interval after which the SMC automatically tries to connect to the next URL in the list if the first URL is not available.
Retry	Shows the number of times that the SMC tries to connect to a URL before it tries to connect to the next URL in the list.
URLs	Shows the URLs of the update services. The SMC automatically tries to connect to the URLs in the order in which they are listed.
Comment (Optional)	A comment for your own reference.

Trusted Update Certificate Properties dialog box

Use this dialog box to view the details of the currently active Trusted Updates Certificate.

Option	Definition
Subject Name	The identifier of the certified entity.
Public Key Algorithm	The algorithm used for the public key.
Key Length	The length of the key in bits.
Serial Number	The sequence number of the certificate. The number is issued by the CA.
Signature Algorithm	The signature algorithm that was used to sign the certificate.
Signed By	The CA that signed the certificate.
SubjectAltName	The subject alternative name fields of the certificate.
Valid From	The start date of certificate validity.
Valid To	The end date of certificate validity.
Fingerprint (SHA-1)	The certificate fingerprint using the SHA-1 algorithm.
Fingerprint (SHA-256)	The certificate fingerprint using the SHA-256 algorithm.
Fingerprint (SHA-512)	The certificate fingerprint using the SHA-512 algorithm.
Active	The Management Server and the NGFW Engines uses this certificate to verify the digital signatures of dynamic update packages and engine upgrades.