Updating a cluster

The method below aims to minimize disruptions to the production environment during the software update of a firewall cluster.

Updating the passive firewall

  1. Log in to the web administration interface of the cluster.
  2. If there are changes to the configuration that have not yet been synchronized, click on the icon to start synchronizing the configuration before updating the cluster.
  3. In Configuration > System > Maintenance > System update tab, select the update file (Select the update field),
  4. In the Select the firewall to update field, select The other firewall (remote).
  5. Click on Update firmware.
  6. Confirm the warning message Another member of the cluster will restart by clicking on OK.
  7. Wait for the remote firewall to restart.

If your firewall is equipped with a TPM (Trusted Platform Module)

During a firmware update, PCRs (Platform Configuration Registers) known to the TPM may be modified, preventing access to secrets stored in the TPM. The access policy must be updated by refreshing the PCR values. For every cluster in SNS version 4.3.3 or higher, when the passive member of the cluster has restarted after being updated, the following procedure can be applied:

  1. In the web administration interface of the active member of the cluster, go to System > CLI Console.
  2. Enter the command SYSTEM TPM PCRSEAL tpmpassword=<password> serial=passive and click on Run.

More information about the command SYSTEM TPM PCRSEAL.

Updating the active firewall

When the passive member of the cluster has restarted after being updated:

  1. Go back to Configuration > System > Maintenance > System update tab.
  2. Select the update file (Select the update field).
  3. In the Select the firewall to update field, select This firewall.
  4. Click on Update firmware.
  5. The other member of the cluster becomes active and connections that go through the cluster will not be disrupted.

If your firewall is equipped with a TPM (Trusted Platform Module)

  1. In the web administration interface of the active member of the cluster, go to System > CLI Console.
  2. Enter the command SYSTEM TPM PCRSEAL tpmpassword=<password> serial=passive and click on Run.

More information about the command SYSTEM TPM PCRSEAL.