The Management Server can remotely upgrade Engine components that it manages.
Before you begin
Read the Release
Notes for the new version, especially the required Secure SD-WAN Manager version and any other
version-specific upgrade issues that might be listed. To access the release notes, select Configuration, then browse to . Select the type of Engine you are upgrading. A link to the release notes is included in the upgrade file’s
information. If the Management Server has no Internet connectivity, you can find the release notes at https://support.forcepoint.com/Documentation.
CAUTION:
If
McAfee Endpoint Intelligence Agent (McAfee EIA) is configured on the Engine when you upgrade to version 6.3 or later, the Engine node is
returned to the initial configuration state and stops processing traffic. You must remove the
McAfee Endpoint Intelligence Agent (McAfee EIA) configuration and refresh the policy
before you upgrade to version 6.3 or later. For more information, see
Knowledge Base article 14093.
You can upgrade several Engines of the same type in the same operation. However, we recommend
that you upgrade clusters one node at a time and wait until an upgraded node is back online before you upgrade the other nodes. Clusters operate normally throughout the upgrade when
the upgrade is done in stages. However, it is recommended to upgrade all nodes in the cluster to the same version as soon as possible. Prolonged use with mismatched versions is not
supported. It is not possible to have 32-bit and 64-bit Engines online in the cluster at the same time.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
Select Home.
-
Browse to Engines, then expand the nodes of the Engine that you want to upgrade.
-
Right-click the node that you want to upgrade, then select .
-
(Optional) Enter an Audit Comment to be shown in the audit log entry that is generated when you send the command to the Engine.
-
When prompted to confirm that you want to set the node offline, click Yes.
The node goes offline shortly.
-
When the node is offline, right-click the node, then select Upgrade Software or depending on your selection.
Note: You cannot upgrade Virtual Engines directly. To upgrade Virtual Engines,
you must upgrade the Master Engine that hosts the Virtual Engines.
-
From the Operation drop-down list, select the type of operation that you want to perform:
- Select Remote Upgrade (transfer + activate) to install the new software and reboot the node with the new version of the software.
- Select Remote Upgrade (transfer) to install the new software on the node without an immediate reboot and activation. The node continues to operate
with the currently installed version until you choose to activate the new version.
- Select Remote Upgrade (activate) to reboot the node and activate the new version of the software that was installed earlier.
CAUTION:
To avoid an outage, do not activate the new configuration simultaneously on all nodes of a cluster. Activate the new configuration one node at a time, and
proceed to the next node only after the previous node is back online.
-
If necessary, add or remove Engines in the Target list.
All Engines in the same Upgrade Task must be of the same type.
-
Click Select next to the Engine Upgrade field, select the upgrade file, then click
OK.
If you choose to activate the new configuration, you are prompted to acknowledge a warning that the node will be rebooted. A new tab opens showing the progress of
the upgrade. The time the upgrade takes varies depending on the performance of your system and the network environment. The Engine is automatically rebooted and brought back
online.
The upgrade overwrites the inactive partition and then changes the active partition. To undo the upgrade, use the
sg-toggle-active command or the Engine’s boot menu to change back to the previous software version
on the other partition. This change can also happen automatically at the next reboot if the Engine is not able to
successfully return to operation when it boots up after the upgrade.
Note: The Management Server verifies the digital signature of the upgrade package before installing it. The signature must be valid for the upgrade to succeed. If the verification
fails, an error message is shown. Verification failure can result from an out-of-date Secure SD-WAN Manager version or an invalid or missing
signature.