This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade HA Active/Passive array to latest version.

Good morning all,

I hope you're all well.

I'm looking for some advice on the most expeditious and least disruptive method to upgrade an HA array to the latest firmware version. It's a UTM SG330 setup in HA active/passive mode and the firmware version is 9.702-1.

The customer is highly risk averse and supports several hundreds of remote users via remote access vpn. It is essential that disruption is kept to a minimum. Multiple or lengthy outages need to be avoided if possible.

Does anyone know the most direct path from the current firmware to the latest version?
Would it be quicker to reimage/rebuild the array at the latest version and import the latest backup? Is it possible to import a backup from the current version to the latest version?

Thanks in advance,

Neil.



This thread was automatically locked due to age.
  • Hello ,

    Thank you for reaching out to the community. 

    When you upgrade an HA device, the process is as follows:

    1. The primary device (device A) upgrades the secondary device (device B).
    2. Device B runs the new firmware and takes control of the network. It's now the primary device and device A is the secondary.
    3. Device A then upgrades and runs the new firmware. It's still the secondary device, but if you have configured the other device as a preferred primary, then the cluster will failover.


    Now you are currently on 9.702-1., there are a couple (approx. 23 new updates) of firmware in between and the process mentioned above will continue to follow until you reach to the latest firmware i.e.  9.711-5

    A direct path can not be followed. So, in that case re-imaging will be much more quicker and a one time process. 

    Yes the backup can be restored from an older firmware to the newer/equivalent  firmware but can not be done vice-versa.




    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    I would activate "Keep node(s) reserved during Up2Date" and update with this methode one node to the latest version, then this fully updated node will become the active node. In a second step, after checking that everything works as expected, update the second node.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Thanks for your answers.

    I think the rebuild is the most likely option as the customer is unlikely to risk any lengthy outage or maintenance windows to complete a phased upgrade.

    Thanks for your help.

    Neil.

  • Re-imaging is a waste of time and completely unnecessary. The whole point of the HA is to "not disrupt" and it won't - the users won't even know, especially if you run it at say 2-4 am in the morning on a schedule. Simply let it download all the updates, hit upgrade to latest at this time and go to bed. Done.

  • I agree, but there's a potential fly in the ointment.  Attempting to get all of the needed Up2Dates loaded at one time will cause problems with a full / partition - probably a lockup.  Probably two groups would need to be downloaded separately.  This is most easily done at the command line as root.

    Don't forget to set 'Firmware Download Interval' to "Manual" before starting and to change it back when done.  If the Up2Dates below are already on your system, you can delete them once you're in /var/up2date/sys.

    Once you're at 9.705-3 or you've done something similar to the below to get you there, here's how to get to 9.711-5:

         cd /var/up2date/sys
         wget ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.705003-705007.tgz.gpg
         wget ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.705007-706009.tgz.gpg
         wget ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.706009-707005.tgz.gpg
         wget ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.707005-708006.tgz.gpg
         wget ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.708006-709003.tgz.gpg
         wget ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.709003-710001.tgz.gpg
         wget ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.710001-711005.tgz.gpg
         /sbin/auisys.plx --showdesc

         Wait 10 minutes after the auisys command starts and then install in WebAdmin. You are now at 9.711-5.

    Personally, I would disconnect the Slave first and allow the Master to Up2Date overnight.  Then, re-image the Slave, power it down, reconnect it and power it up.  The Master will reconfigure the Slave and copy the logs to it.

    If you do go the way of re-imaging both Master and Slave, you can copy off the /var/log directory beforehand and then copy it back on with WinSCP.  Again, I would fully prepare one appliance as the Master and then reconnect the Slave and power it up.  The Master will reconfigure the Slave and copy the logs to it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks everyone for your input, very much appreciated.

    As mentioned, the customer is very risk averse and has several hundreds of remote workers connecting via the SG, so updates have been avoided for as long as possible, which is how we came to be in this position.

    As Bob mentioned, we cannot download all updates because the partition fills up.

    The agreed process is to break the array, reimage the secondary to the latest firmware version, apply a temporary licence and import the latest config. Once this has been satisfactorily tested, the primary will be brought up to the latest version by reimaging and the array will be rebuilt.

    The customer understands this will cause a network outage, but they can live with that since it will be planned and can be done in the wee small hours when all remote workers are sound asleep.

    Thanks for all your help.

    Neil.

  • That plan means you lose all logs and reporting, Neil.  You can use the WinSCP trick to copy /var/log off and then back on again.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA