Installation guide
114
Chapter 12 Upgrading
Getting Started With Upgrading
How Engine Upgrades Work
The primary way to upgrade engines is a remote upgrade through the Management Server. The
upgrade package is imported on the Management Server manually or automatically. You can
then apply it to selected engines through the Management Client. Alternatively, the upgrade can
be done on the command line when it is more convenient (for example, for spare appliances in
storage).
The engines have two alternative partitions for the engine software. When you install a new
software version, the new version is installed on the inactive partition and the current version is
preserved to allow rollback if the upgrade is unsuccessful. If the engine is not able to return to
operation, the engine automatically rolls back to the previous software version at the next
reboot. You can also use the
sg-toggle-active command to roll back to the previous engine
version. See Command Line Tools (page 127) for more information.
You can upload and activate the new software separately. For example, you can upload the
upgrade during office hours and activate it later during a service window.
The currently installed working configuration (routing, policies, etc.) is stored separately and is
not changed in an upgrade or a rollback. Although parts of the configuration may be version-
specific (for example, if system communication ports are changed), the new version can use the
existing configuration. Any potential version-specific adjustments are made when you refresh the
policy after the upgrade.
Limitations
It is not possible to upgrade between 32-bit and 64-bit versions of the software. If you are
running the software on a compatible standard server, you can reinstall the software using the
other version. In clusters, 32-bit and 64-bit nodes cannot be online simultaneously. McAfee
NGFW appliances support only the software architecture version that they are pre-installed with.
Changing the architecture for third-party hardware using software licenses requires a full re-
installation using a DVD.
Due to changes in the IPS components, additional steps are required for upgrading legacy
Sensors, Sensor Clusters, and combined Sensor-Analyzers to version 5.4 or higher. See
Upgrading Legacy IPS Engines (page 120).
You cannot upgrade Virtual Security Engines directly. To upgrade Virtual Security Engines, you
must upgrade the Master Engine that hosts the Virtual Security Engines.
What Do I Need to Know Before I Begin
The Security Management Center must be up to date before you upgrade the engines. An old
SMC version may not be able to recognize the new engine versions or generate a valid
configuration for them. A newer SMC version is compatible with several older engine versions.
See the Release Notes available at http://www.stonesoft.com/en/customer_care/kb/ for
version-specific compatibility information.
During a cluster upgrade, it is possible to have the upgraded nodes online and operational side
by side with the older version nodes. This way, you can upgrade the nodes one by one while the
other nodes handle the traffic. However, you must upgrade all the nodes to the same version as
soon as possible, as prolonged use with mismatched versions is not supported.