Getting started with upgrading Engines
You can remotely upgrade engines using the Management Client or locally on the engine command line.
Remote upgrade is recommended in most cases. See the Forcepoint FlexEdge Secure SD-WAN Installation Guide for detailed instructions if you want to upgrade engines locally.
How engine upgrades work
The upgrade package is imported to the Management Server manually or automatically. Before the import, the Management Server verifies the digital signature of the upgrade package using a valid Trusted Update Certificate. The signature must be valid for the import to succeed. Verification failure can result from an out-of-date Secure SD-WAN Manager version, in which case the Secure SD-WAN Manager must be upgraded, or an invalid or missing signature, in which case the administrator must obtain an official upgrade package.
After the upgrade package has been imported, you can apply it to selected engines through the Management Client. Before the upgrade is installed on the engines, the Management Server verifies the digital signature of the upgrade package. Also the engines verify the digital signature of the upgrade package before the upgrade is installed. Upgrade package digests are calculated using an SHA-512 hash and signed with an ECDSA key.
The engines have two alternative partitions for the software. When you install a new software version, it is installed on the inactive partition and the current version is preserved. This allows rollback to the previous version in case the installation is interrupted or other problems arise. If the engine is not able to return to operation after the upgrade, it automatically switches back to the previous software version at the next restart. You can also switch the active partition manually.
You can upload and activate the new software separately. For example, you can upload the upgrade during office hours but activate it during a service window.
The currently installed working configuration (routing, policies) is stored separately and is not changed in an upgrade or a rollback. Although parts of the configuration can be version-specific (for example, if system communications ports are changed), the new software version can use the existing configuration. Possible version-specific adjustments are made when you refresh the policy after the upgrade.
Limitations
It is not possible to upgrade between a 32-bit version and a 64-bit version of the software. If you are running the software on third-party hardware, you can reinstall the software using the other version. In clusters, 32-bit and 64-bit nodes cannot be online simultaneously. Appliances support only the software architecture version that they are pre-installed with.
You cannot upgrade Virtual Engines directly. To upgrade Virtual Engines, you must upgrade the Master Engine that hosts the Virtual Engines.
What do I need to know before I begin?
The Secure SD-WAN Manager must be up to date before you upgrade the engines. An old Secure SD-WAN Manager version might not be able to recognize the new version engines and can generate an invalid configuration for them. The Management Server can control several older versions of engines. See the Release Notes for version-specific compatibility information.
During a cluster upgrade, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. This way, you can upgrade the nodes one by one while the other nodes handle the traffic. However, you must upgrade all nodes to the same version as soon as possible, as prolonged use with mismatched versions is not supported.
The current engine version is displayed on the General tab in the Info pane when you select the engine. If the Info pane is not shown, select .