Related Topics
Upgrade Fireware OS for a FireCluster
You can upgrade Fireware OS for a FireCluster from Policy Manager or Fireware Web UI. To upgrade a FireCluster that runs Fireware v11.10.x or lower, we recommend that you use Policy Manager.
When you upgrade a FireCluster, each cluster member reboots and then rejoins the FireCluster. Because load balancing is not available while a cluster member reboot is in progress, we recommend that you upgrade an active/active cluster when the network traffic is lightest.
For some Fireware OS upgrades, the cluster is unavailable and does not pass traffic until the upgrade is complete and the Fireboxes in the cluster reboot. If an OS upgrade will cause a service interruption, a warning appears, and you must confirm that you want to continue with the upgrade.
Use Policy Manager to Upgrade a FireCluster
For upgrades from Fireware v11.11 or higher, Policy Manager supports two upgrade methods. The available method depends on the IP address you connect to when you upgrade the FireCluster.
Interface IP address
If you connect to an interface IP address for the upgrade, Policy Manager uploads the OS upgrade file to the cluster master. The cluster master sends the OS upgrade file to the backup master and automatically coordinates the upgrade of both cluster members.
- For Fireware v11.12.1 and higher — You can only select to upgrade both FireCluster members. To avoid a service interruption, Policy Manager coordinates the upgrade of both cluster members, one at a time. Both members must run the same Fireware OS version.
- For Fireware v11.12 and lower — You can select to upgrade one member or both members.
Management IP address
If you connect to a cluster member Management IP address for the upgrade, Policy Manager connects to the management IP address of each cluster member to upload the OS upgrade file separately to each member. You can select to upgrade one member or both members. We recommend that you do not select to upgrade only one member, because of the risk for cluster failure, unless directed to do so by WatchGuard Technical Support.
For upgrades from Fireware v11.10.x or lower, Policy Manager supports only one upgrade method. Policy Manager always connects to the management IP address of each cluster member to upload the OS upgrade file separately.
To avoid issues (for example, different OS versions on cluster members or cluster failure), we recommend that you select to upgrade both members. If you select to upgrade only one member, for the cluster to function, you must immediately upgrade the other member.
Remote FireCluster Upgrade
If you have enabled management of your FireCluster from an external interface, you can remotely upgrade your Firebox. Because Fireware v11.11 does not require Policy Manager to connect to the management IP address to complete an upgrade, the requirements for remote upgrade of a FireCluster are different, and depend on the version you upgrade from.
Remote upgrade from Fireware v11.11 or higher
To upgrade a FireCluster that runs Fireware v11.11 or higher from a remote location, connect to the FireCluster with he external interface IP address. You do not have to configure the interface for management IP address on the external interface.
Remote upgrade from Fireware v11.10.x or lower
To upgrade a FireCluster that runs Fireware v11.10.x or lower from a remote location, the interface for management IP address must be configured on the external interface, and the IP address must be public, not private.
For more information, see About FireCluster Management IP Addresses.
Upgrade a FireCluster from Policy Manager
To upgrade from Fireware v11.11 or higher, the upgrade method you use depends on the IP address you connect to, as described in the previous section.
To upgrade Fireware OS for the members in a cluster, from Policy Manager:
- Select File > Upgrade.
The Upgrade dialog box appears.
- In the IP Address or Name text box, type an interface IP address for the cluster or the management IP address of a cluster member.
The upgrade process depends on the IP address you specify, as described in the previous section. - In the Administrator User Name text box, type the user name of a user account with Device Administrator credentials.
- In the Administrator Passphrase text box, type the passphrase for the Device Administrator user account.
- Click OK.
The Upgrade dialog box appears. - Type or select the location of the upgrade file.
A confirmation message appears. - Select the check box for each cluster member to upgrade.
- Click Yes.
The upgrade begins. The upgrade status appears below the member list.
When the upgrade is complete, a confirmation message appears.
- Click OK to dismiss the final status message.
For the FireCluster to operate correctly, both members must run the same Fireware OS version after the upgrade.
To verify that both cluster members run the same OS version:
- Open Firebox System Manager.
- Select the Front Panel tab.
- Expand the Warnings section.
If the version of Fireware OS on the cluster members is not the same, a warning appears. TipYou can also expand the Cluster section and compare the reported version for each member.
For more information, see Monitor and Control FireCluster Members.
Use Fireware Web UI to Upgrade a FireCluster
The steps to upgrade Fireware OS for a FireCluster from the Web UI depend on the Fireware OS version installed on the FireCluster.
- In Fireware v11.11 or higher, the Web UI coordinates the upgrade of both cluster members, one at a time
- In Fireware v11.10.x or lower, you must connect to and upgrade each cluster member separately
To upgrade a FireCluster from Fireware v11.10.x or lower, we recommend you use Policy Manager, because Policy Manager can coordinate the upgrade of both members.
To use the Web UI to upgrade a FireCluster that runs Fireware v11.11 or higher, you must connect to an interface IP address or to the Management IP address of the cluster master. When you upgrade a FireCluster from the Web UI, both cluster members are upgraded automatically.
To start the upgrade process:
- Select System > Upgrade OS.
The Upgrade OS page appears. - Select an upgrade method:
- Download and install an upgrade directly from watchguard.com and select an available upgrade.
- Use an upgrade file and browse to a local sysa-dl file.
- Click Upgrade.
The cluster master gets the selected OS upgrade file and sends it to the backup master.
Upgrade of the backup master starts and progress appears on the Upgrade OS page. The upgrade can take several minutes. After the upgrade of the backup master is complete, upgrade of the other member starts automatically. The backup master then becomes the new cluster master. At this step of the upgrade process, you are automatically logged out of the Web UI.
- To monitor and confirm the upgrade of the second member, log in to the Web UI again. You can use an interface IP address or the management IP address of the new cluster master.
- Select System > Upgrade OS.
The Upgrade OS page appears, with the upgrade status for each cluster member.
When the upgrade of both members is complete, a status message appears at the top of the Upgrade OS page.
To use Fireware Web UI to upgrade a FireCluster that runs Fireware v11.10.x or lower, you must connect to each cluster member and upgrade the OS for each Firebox separately.
- Upgrade the OS on the backup master first.
- Make sure that you upgrade both cluster members to the same Fireware OS version.
The procedure to upgrade each cluster member from Fireware v11.10.x or lower is the same as the process to upgrade Fireware OS for a Firebox that is not a member of a FireCluster. For more information, see Upgrade Fireware OS or WatchGuard System Manager.