Upgrade FlexEdge Secure SD-WAN Engines remotely

The Management Server can remotely upgrade Secure SD-WAN Engine components that it manages.

Before you begin

Read the Release Notes for the new version, especially the required SMC version and any other version-specific upgrade issues that might be listed. To access the release notes, select Configuration, then browse to Administration > Other Elements > Engine Upgrades. Select the type of Secure SD-WAN Engine you are upgrading. A link to the release notes is included in the upgrade file’s information. If the Management Server has no Internet connectivity, you can find the release notes at https://support.forcepoint.com/s/article/Documentation-Featured-Article.

CAUTION:
If McAfee Endpoint Intelligence Agent (McAfee EIA) is configured on the Engine when you upgrade to version 6.3 or later, the Engine node is returned to the initial configuration state and stops processing traffic. You must remove the McAfee Endpoint Intelligence Agent (McAfee EIA) configuration and refresh the policy before you upgrade to version 6.3 or later. For more information, see Knowledge Base article 14093.

You can upgrade several Secure SD-WAN Engines of the same type in the same operation. However, we recommend that you upgrade clusters one node at a time and wait until an upgraded node is back online before you upgrade the other nodes. Clusters operate normally throughout the upgrade when the upgrade is done in stages. However, it is recommended to upgrade all nodes in the cluster to the same version as soon as possible. Prolonged use with mismatched versions is not supported. It is not possible to have 32-bit and 64-bit Secure SD-WAN Engines online in the cluster at the same time.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Dashboard > Engines.
  2. Expand the nodes of the Secure SD-WAN Engine that you want to upgrade.
  3. Right-click the node that you want to upgrade, then select Commands > Go Offline.
  4. (Optional) Enter an Audit Comment to be shown in the audit log entry that is generated when you send the command to the Secure SD-WAN Engine.
  5. When prompted to confirm that you want to set the node offline, click Yes.
    The node goes offline shortly.
  6. When the node is offline, right-click the node, then select Upgrade Software or Configuration > Upgrade Software depending on your selection.
    Note: You cannot upgrade Virtual Engines directly. To upgrade Virtual Engines, you must upgrade the Master Engine that hosts the Virtual Engines.
  7. From the Operation drop-down list, select the type of operation that you want to perform:
    • Select Remote Upgrade (transfer + activate) to install the new software and reboot the node with the new version of the software.
    • Select Remote Upgrade (transfer) to install the new software on the node without an immediate reboot and activation. The node continues to operate with the currently installed version until you choose to activate the new version.
    • Select Remote Upgrade (activate) to reboot the node and activate the new version of the software that was installed earlier.
    CAUTION:
    To avoid an outage, do not activate the new configuration simultaneously on all nodes of a cluster. Activate the new configuration one node at a time, and proceed to the next node only after the previous node is back online.
  8. If necessary, add or remove Secure SD-WAN Engines in the Target list.
    All Secure SD-WAN Engines in the same Upgrade Task must be of the same type.
  9. Click Select next to the Engine Upgrade field, select the upgrade file, then click OK.

    If you choose to activate the new configuration, you are prompted to acknowledge a warning that the node will be rebooted. A new tab opens showing the progress of the upgrade. The time the upgrade takes varies depending on the performance of your system and the network environment. The Secure SD-WAN Engine is automatically rebooted and brought back online.

    The upgrade overwrites the inactive partition and then changes the active partition. To undo the upgrade, use the sg-toggle-active command or the Secure SD-WAN Engine’s boot menu to change back to the previous software version on the other partition. This change can also happen automatically at the next reboot if the Secure SD-WAN Engine is not able to successfully return to operation when it boots up after the upgrade.

    Note: The Management Server verifies the digital signature of the upgrade package before installing it. The signature must be valid for the upgrade to succeed. If the verification fails, an error message is shown. Verification failure can result from an out-of-date SMC version or an invalid or missing signature.