How engine upgrades work

You can remotely upgrade engines using the Management Client or locally on the engine command line.

The upgrade package is imported to the Management Server manually or automatically. Upgrade package digests are calculated using an SHA-512 hash and signed with an ECDSA key.

Before the import, the Management Server verifies the digital signature of the upgrade package using a valid Trusted Update Certificate. The signature must be valid for the import to succeed. Verification might fail for the following reasons:
  • The SMC version is out of date. Upgrade the SMC before upgrading the engines.
  • A signature is invalid or missing in the upgrade files. Obtain an official upgrade package.

After the upgrade package has been imported, you can apply it to selected engines through the Management Client. Before the upgrade is installed on the engines, the Management Server again verifies the digital signature of the upgrade package. The engines also verify the digital signature of the upgrade package before the upgrade is installed.

The engines have two alternative partitions for the software. When you install a new software version, it is installed on the inactive partition and the current version is preserved. This configuration allows rollback to the previous version in case there are problems with the upgrade. If the engine is not able to return to operation after the upgrade, it automatically changes back to the previous software version at the next restart. You can also change the active partition manually.

You can upload and activate the new software separately. For example, you can upload the upgrade during office hours but activate it during a service window.

The currently installed working configuration (routing, policies) is stored separately and is not changed in an upgrade or a rollback. Although parts of the configuration can be version-specific (for example, if system communications ports are changed), the new software version can use the existing configuration. Possible version-specific adjustments are made when you refresh the policy after the upgrade.

Lifecycle models

There are two types of Forcepoint Next Generation Firewall releases:
  • Long-Term Support (LTS) — Long-Term Support versions are major versions of Forcepoint Next Generation Firewall that are maintained for at least two years from the release date.
  • Feature Stream (FS) — Feature Stream versions are major versions of Forcepoint Next Generation Firewall that introduce new features and enhancements. Support for Feature Stream versions is discontinued when a new major version of Forcepoint Next Generation Firewall is available.

We recommend using the most recent Long-Term Support version of Forcepoint Next Generation Firewall if you do not need any features from a later Feature Stream version.

For more information about the Forcepoint Next Generation Firewall lifecycle policy, see Knowledge Base article 10192.

Limitations

It is not possible to upgrade between a 32-bit version and a 64-bit version of the software. If you are running the software on third-party hardware, you can reinstall the software using the other version. In clusters, 32-bit and 64-bit nodes cannot be online simultaneously. Appliances support only the software architecture version that they are preinstalled with.

You cannot upgrade Virtual NGFW Engines directly. To upgrade Virtual NGFW Engines, you must upgrade the Master NGFW Engine that hosts the Virtual NGFW Engines.

What do I need to know before I begin?

The SMC must be up to date before you upgrade the engines. An old SMC version might not be able to recognize the new version engines and can generate an invalid configuration for them. The Management Server can control several older versions of engines. See the Release Notes for version-specific compatibility information.

During a cluster upgrade, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. This way, you can upgrade the nodes one by one while the other nodes handle the traffic. However, you must upgrade all nodes to the same version as soon as possible, as prolonged use with mismatched versions is not supported.

The current engine version is displayed on the General tab in the Info pane when you select the engine. If the Info pane is not shown, select Menu > View > Panels > Info.

Beginning from version 5.9, all Forcepoint Next Generation Firewall licenses include the anti-malware feature by default.

Configuration overview

Follow these general steps to upgrade engines:
  1. (Manual download of engine upgrade files) Prepare the installation files.
  2. (Manual license updates) Update the licenses.
  3. Upgrade the engines.