Upgrading Forcepoint NGFW Engines

You can remotely upgrade Forcepoint NGFW Engines deployed in the AWS cloud using the Management Client component of the SMC.

For information about supported Forcepoint NGFW versions, see Knowledge Base article 10156.

The upgrade package is imported to the Management Server manually or automatically. Upgrade package digests are calculated using an SHA-512 hash and signed with an ECDSA key.

Before the import, the Management Server verifies the digital signature of the upgrade package using a valid Trusted Update Certificate. The signature must be valid for the import to succeed. Verification might fail for the following reasons:
  • The SMC version is out of date. Upgrade the SMC before upgrading the engines.
  • A signature is invalid or missing in the upgrade files. Obtain an official upgrade package.

After the upgrade package has been imported, you can apply it to selected engines through the Management Client. Before the upgrade is installed on the engines, the Management Server again verifies the digital signature of the upgrade package. The engines also verify the digital signature of the upgrade package before the upgrade is installed.

The engines have two alternative partitions for the software. When you install a new software version, it is installed on the inactive partition and the current version is preserved. This configuration allows rollback to the previous version in case there are problems with the upgrade. If the engine is not able to return to operation after the upgrade, it automatically changes back to the previous software version at the next restart. You can also change the active partition manually.