Updating firewalls by using SNS CLI scripts

SNS CLI scripts can be used to update your pool of SNS firewalls.

You must first download the relevant update files in your secure MyStormshield area (.maj).

If you have standalone firewalls and high availability clusters, we recommend that you create a script for each use case (standalone firewalls, active nodes, passive nodes and both nodes at the same time).

We recommend that you back up the configuration of your firewalls before updating them.

Follow the steps below:

  1. Create the update script using the commands described in the following examples, replacing 3.7.1 with the desired version (for further information on the variable %FW_UPD_SUFFIX%, refer to the section Using variables):
    • For standalone firewalls:

      SYSTEM UPDATE UPLOAD $FROM_DATA_FILE("fwupd-3.7.1-%FW_UPD_SUFFIX%")
      SYSTEM UPDATE ACTIVATE

    •  For clusters:
      • Passive nodes:

        SYSTEM UPDATE UPLOAD fwserial=passive $FROM_DATA_FILE("fwupd-3.7.1-%FW_UPD_SUFFIX%")
        SYSTEM UPDATE ACTIVATE fwserial=passive

      • Active nodes:

        SYSTEM UPDATE UPLOAD fwserial=active $FROM_DATA_FILE("fwupd-3.7.1-%FW_UPD_SUFFIX%")
        SYSTEM UPDATE ACTIVATE fwserial=active

  2. In the web interface of the SMC server, select Deployment > SNS CLI scripts.
  3. In the Firewalls selection tab, select the script to run.
  4. In the Optional: attachments related to the script menu, select the update file(s) corresponding to the models and versions of your firewalls. For example, to update your SN510 and SN6000 firewalls to version 3.7.1, the attachments that need to be provided are fwupd-3.7.1-SNS-amd64-M.maj and fwupd-3.7.1-SNS-amd64-XL.maj.
  5. Next, follow the usual steps for running a script, as shown in the section Running the SNS CLI script from the web interface from step 4 onwards.

    NOTE
    After an update script has been run on a cluster, the SMC server's automatic synchronization of both nodes will always fail as the update would have made one of the nodes unavailable. Details of this error, which does not prevent the update from proceeding properly, are provided in the Execution tab.

  6. After a few minutes, check in the Monitoring > Firewalls panel that the version number has indeed changed in the Version column.