Upgrade Fireware OS for a FireCluster

You can upgrade Fireware OS for a FireCluster from Policy Manager, Fireware Web UI, or WatchGuard Cloud.

When you upgrade a FireCluster, the cluster members reboot one at a time and rejoin the FireCluster. One cluster member remains active while the other upgrades. Because load balancing is not available while a cluster member reboot is in progress, we recommend that you upgrade an active/active cluster when the network traffic is lightest.

You cannot use the Management Server to schedule an OS update for any managed device that is a member of a FireCluster.

For some Fireware OS upgrades, the cluster is unavailable and does not pass traffic until the upgrade is complete and the Fireboxes in the cluster reboot. If an OS upgrade will cause a service interruption, a warning appears, and you must confirm that you want to continue with the upgrade.

Upgrade Sequence

When you upgrade the FireCluster, upgrade operations happen in this sequence:

  1. The firmware file copies to the current cluster master.
  2. The current cluster master copies the firmware file to the backup master.
  3. The backup master upgrades its firmware and reboots.
  4. If the upgrade is successful, the cluster fails over.
  5. The other cluster member upgrades and reboots.

Use Policy Manager to Upgrade a FireCluster

Policy Manager supports two upgrade methods. The available method depends on the IP address you connect to when you upgrade the FireCluster.

Interface IP address

If you connect to an interface IP address for the upgrade, Policy Manager uploads the OS upgrade file to the cluster master. The cluster master sends the OS upgrade file to the backup master and automatically coordinates the upgrade of both cluster members.

You can only select to upgrade both FireCluster members. To avoid a service interruption, Policy Manager coordinates the upgrade of both cluster members, one at a time. Both members must run the same Fireware OS version.

Management IP address

If you connect to a cluster member Management IP address for the upgrade, Policy Manager connects to the management IP address of each cluster member to upload the OS upgrade file separately to each member. You can select to upgrade one member or both members. We recommend that you do not select to upgrade only one member, because of the risk for cluster failure, unless directed to do so by WatchGuard Technical Support.

Remote FireCluster Upgrade

If you have enabled management of your FireCluster from an external interface, you can remotely upgrade your Firebox.

To upgrade a FireCluster from a remote location, connect to the FireCluster with the external interface IP address. You do not have to configure the interface for management IP address on the external interface.

For more information, go to About FireCluster Management IP Addresses.

Upgrade a FireCluster from Policy Manager

To upgrade Fireware OS for the members in a cluster, from Policy Manager:

  1. Select File > Upgrade.
    The Upgrade dialog box appears.

Screen shot of the Upgrade dialog box

  1. In the IP Address or Name text box, type an interface IP address for the cluster or the management IP address of a cluster member.
    The upgrade process depends on the IP address you specify, as described in the previous section.
  2. In the Administrator User Name text box, type the user name of a user account with Device Administrator credentials.
  3. In the Administrator Passphrase text box, type the passphrase for the Device Administrator user account.
  4. Click OK.
    The Upgrade dialog box appears.

Screen shot of the Upgrade file picker dialog box

  1. Type or select the location of the upgrade file. Click OK.
    A confirmation message appears.
  2. If prompted, select the check box for each cluster member to upgrade.
  3. To continue, click Yes.
  4. The upgrade begins. The upgrade status appears after the member list.

Screen shot of the Upgrade dialog box while an upgrade is in progress

When the upgrade is complete, a confirmation message appears.

Screen shot of the cluster upgrade success dialog box

  1. Click OK to dismiss the final status message.

For the FireCluster to operate correctly, both members must run the same Fireware OS version after the upgrade.

To verify that both cluster members run the same OS version:

  1. Open Firebox System Manager.
  2. Select the Front Panel tab.
  3. Expand the Warnings section.

If the version of Fireware OS on the cluster members is not the same, a warning appears. Tip

For more information, go to Monitor and Control FireCluster Members.

Use Fireware Web UI to Upgrade a FireCluster

The Web UI coordinates the upgrade of both cluster members, one at a time.

To use the Web UI to upgrade a FireCluster, you must connect to an interface IP address or to the Management IP address of the cluster master. When you upgrade a FireCluster from the Web UI, both cluster members are upgraded automatically.

To start the upgrade process:

  1. Select System > Upgrade OS.
    The Upgrade OS page appears.
  2. Select an upgrade method:
    • Download and install an upgrade directly from watchguard.com and select an available upgrade.
    • Use an upgrade file and browse to a local sysa-dl file.
  3. Click Upgrade.
    The cluster master gets the selected OS upgrade file and sends it to the backup master.

Screen shot of the Upgrade OS page for a FireCluster

Upgrade of the backup master starts and progress appears on the Upgrade OS page. The upgrade can take several minutes. After the upgrade of the backup master is complete, upgrade of the other member starts automatically. The backup master then becomes the new cluster master. At this step of the upgrade process, you are automatically logged out of the Web UI.

  1. To monitor and confirm the upgrade of the second member, log in to the Web UI again. You can use an interface IP address or the management IP address of the new cluster master.
  2. Select System > Upgrade OS.
    The Upgrade OS page appears, with the upgrade status for each cluster member.

Screenshot of the Upgrade OS page.

When the upgrade of both members is complete, a status message appears on the Upgrade OS page.

Use WatchGuard Cloud to Upgrade a FireCluster

If you add a FireCluster to WatchGuard Cloud, you can upgrade the Fireware OS firmware for cluster members from WatchGuard Cloud. For more information, go to Upgrade a FireCluster in WatchGuard Cloud.

Related Topics

About FireCluster

FireCluster Diagnostics