We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Attention

Barracuda CloudGen Firewall version 8.0 is a cloud-only version. It is currently not available for on-premises deployments and can only be deployed in Microsoft Azure, Amazon Web Services, or Google Cloud Platform public clouds.

How to Update Managed High Availability Clusters with Automatic Failover

  • Last updated on

To update the high availability cluster using automatic failover, both firewalls must be enabled. The passive firewall must be updated first while the active firewall keeps operating. After the passive firewall update is complete, the active firewall will automatically transfer control to the passive firewall and make it the active one. After the update of the primary firewall is complete, control will be transferred from the active secondary firewall back to the primary firewall. The secondary firewall will fall back to stay in passive mode.

If required, update your Control Center before updating your managed firewalls to a newer firmware version. After major version updates, the cluster version on the Control Center must be migrated to match the new firmware version.

The Control Center checks every hour for updates relevant to the configured cluster versions. It can take up to one hour for the updates, hotfixes, and patches to be displayed when a new cluster with a previously unused cluster version is created.

Before You Begin

If you are using SSL Inspection on your border firewall, you must add dlportal.barracudanetworks.com and d.barracudanetworks.com to the SSL Inspection Domain Exceptions on the your CloudGen Firewall > Virtual Servers > Assigned Services > Firewall > Security Policy page. For more information, see SSL Inspection in the Firewall.

fw_update00.png

Step 1: Verify the Compatibility of the Control Center Firmware with the Managed Firewalls

Before updating a managed firewall to a higher firmware version, verify that the Control Center is running a firmware version that is equal to or higher than the highest firmware version used by a managed firewall after the update.

For more information, see Updating CloudGen Firewalls and Control Centers.

Step 2. Enable Automatic Failover

  1. Go to CONFIGURATION > Configuration Tree > Box > Box Properties.
  2. In the left menu, click Operational.

  3. Expand the Configuration Mode menu and select Switch to  Advanced View.
  4. Click Lock.
  5. From HA Firmware Update, select Automatic Failover.
    activate_ha_automatic_failover_00.png
  6. Click Send Changes and Activate.

Step 3. Download the Update Package to the Control Center

Download the update package to the Control Center.

  1. Log into the Control Center.
  2. Go to CONTROL > Firmware Update.
  3. In the lower half of the screen, click the Download Portal tab.
  4. Hover the mouse over the desired update package to display the download icon.
    cc_update_element_01.png
  5. Click the download icon, and select Download.
    cc_update_element_02.png

After the download finishes, the update package is available in the Files on Control Center tab.

cc_update_element_03.png

Step 4. (optional) Create Update Groups

  1. Go to CONTROL > Firmware Update.
  2. In the ribbon bar, click Edit Groups.
    fwupdate_groups_01.png
  3. Click New Group. A new update group is created in the list.
  4. Hover the mouse over the new group and click the edit icon.
    fwupdate_groups_02.png
  5. Enter a name for the update group.
  6. (optional) Use the Filter options to display the firewalls you want to add to this group.
    fwupdate_groups_03.png
  7. Select, then drag and drop firewalls to the new user group.
  8. Click Save Changes.
    fwupdate_groups_04.png

Step 5. Select Firewalls and Schedule File Transfer

  1. Go to CONTROL > Firmware Update.
  2. Double-click on both firewalls on the HA cluster to add them to the Selected Firewall Update List. 
    HA_firewalls_selected_for_update.png
  3. In the Files on Control Center tab, select the update package.
  4. Click Schedule File Transfer. The New Update Task window opens.
    managed_updates_02.png
  5. (optional) Select the Scheduling Mode and Schedule Time to schedule a time for the file transfer.
    managed_updates_03.png
  6. Click OK.

Step 6. Schedule Update for the Secondary Firewall

  1. Go to CONTROL > Firmware Update.
  2. In the File Transfer Status column, filter for Completed Transfer. The list of completed transfers for the secondary firewall is displayed.
    managed_updates_04.png
  3. Select the secondary firewall to perform the update.
  4. Right-click the secondary firewall and click Perform Update. The Schedule Task window opens.
    managed_updates_05.png
  5. (optional) Configure the time and authentication settings for the update:
    • Box Authentication – Select Trusted (Validate Key)
    • Scheduling Mode – Select Immediate Execution to update immediately, or Delayed Execution to set the time the update is triggered.
    • Priority – When multiple tasks are configured for execution, the priority setting determines the execution order.
    managed_updates_06.png
  6. Click OK.

Wait for the update to finish. Depending on the system hardware, the process can last anywhere from 15 minutes (for a fast system) to 60 minutes (for flash appliances).

Unless otherwise noted, the firewall will reboot after the update.

Step 7. Schedule Update for the Primary Firewall

  1. Go to CONTROL > Firmware Update.
  2. In the File Transfer Status column, filter for Completed Transfer. The list of completed transfers for the secondary firewall is displayed.
    managed_updates_04.png
  3. Select the primary firewall to perform the update.
  4. Right-click the primary firewall and click Perform Update. The Schedule Task window opens.
    managed_updates_05.png
  5. (optional) Configure the time and authentication settings for the update:
    • Box Authentication – Select Trusted (Validate Key)
    • Scheduling Mode – Select Immediate Execution to update immediately, or Delayed Execution to set the time the update is triggered 
    • Priority – When multiple tasks are configured for execution, the priority setting determines the execution order.
      managed_updates_06.png
  6. Click OK.

When the firmware update starts at the scheduled time, the primary firewall will automatically transfer control over to the secondary firewall. The update packages will be copied to the primary firewall. After the update, server control will be completely transferred back from the secondary firewall to the primary firewall.

Wait for the update to finish. Depending on the system hardware, the process can last anywhere from 15 minutes (for a fast system) to 60 minutes (for flash appliances).

Unless otherwise noted, the firewall will reboot after the update.

Step 8. Migrate the Configuration Version of the Cluster

If you are updating to a new major version (e.g., 6.0 to 6.2, or 6.2 to 7.1), migrate the cluster version to the new major version after the update has completed. Multiple migrations may be required to reach the cluster version matching the firmware version.

Update the Clusters Individually
  1. Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster .
  2. Right-click the cluster and select Lock.
  3. Right-click the cluster and select Migrate Cluster.
    managed_updates_07.png
  4. Select the new Release version.
  5. Click OK.
  6. Click Activate
Update All Clusters in a Range

If all clusters in the range are on the same firmware version, you can migrate all clusters simultaneously. 

  1. Go to CONFIGURATION > Configuration Tree > Multi-Range > your range .
  2. Right-click the range and select Lock.
  3. Right-click the range and select Migrate Range.
  4. Select the new Release version.
  5. Click OK.
    managed_updates_08.png
  6. Click Activate.

Migrating the cluster version may have to be done multiple times if the firmware update skipped major firmware versions. E.g., when updating from 6.0 to 7.0.

Troubleshooting / Logs

After the update process, review the Box\Release\update or Box\Release\update_hotfix log for each system to verify that it was successfully updated. To view a system log, you must connect directly to the firewall and go to the Logs tab.

Last updated on