To prevent downtime when updating your high availability cluster, block the virtual server on the secondary firewall. Then update the firmware on the secondary firewall. After the update, transfer the virtual server to the updated firewall and repeat the process with the primary firewall. Each firewall can only be updated to the next firmware version according to the migration path. If two updates are required, repeat the process below for each update package.
Step 1: Block the Server on the Secondary Firewall
When you block the server, the control service shuts it down and sends a signal that starts the server on the HA partner unit. Keep in mind that when you block a server, the control service cannot perform automatic failovers.
- Log into the secondary firewall.
- Go to CONTROL > Server.
Click Block Server.
Step 2: Update the Secondary Firewall
Update the firmware on the secondary firewall. For more information, see How to Install Updates via NextGen Admin or How to Update Managed High Availability Clusters with Automatic Failover.
Step 3: Switch Virtual Servers to the Secondary Firewall
When you stop a server after it has been blocked, you are re-enabling the control service to perform automatic fail overs. When the server on an HA unit goes down or is blocked, the control service automatically starts the server on its HA partner.
- Log into the secondary firewall.
Go to CONTROL > Server and click Stop Server.
Log into the primary firewall.
Go to CONTROL > Server page, and click Block Server.
All the servers are taken over by the secondary firewall.
Leave the primary unit in standby mode until you have verified that the secondary firewall is operating correctly. You can verify this by stopping the primary unit servers.
Step 4: Update the Primary Firewall
Update the firmware on the primary firewall. For more information, see How to Install Updates via NextGen Admin or How to Update Managed High Availability Clusters with Automatic Failover.
Step 5: Transfer the Virtual Server Back to the Primary Firewall
Manually trigger a failover to transfer the virtual server from the secondary to the primary firewall.
- Log into the primary firewall.
- Go to CONTROL > Server.
- Click Stop Server.
- Log into the secondary firewall.
- Go to CONTROL > Server.
- Click Block Server.
- Wait for the primary firewall to bring up the virtual server and then click Stop Server to place the secondary firewall in standby.