Upgrading MWG to either Main Release or Controlled Release versions

Version 12



    The Web Gateway has two release branches, Main and Controlled. In this article, you should get a basic understanding about each release branch, the best practices for upgrading, and how to upgrade to the Web Gateway version you want to use.



    Main vs Controlled

    Both main and controlled release branches are fully QA tested and supported. Here are some things to expect from each branch.


    Main Release Branch

      • Default version on all new Web Gateway appliances.
      • Maintenance releases are provided throughout the year (every two month).
      • Provides feature enhancements once a year.


    Controlled Release Branch

      • Provides feature enhancements once every four months.
      • Patch releases are either made between feature releases or rolled in to the next one.
      • Customers have to actively decide to switch to this branch.


    At the end of the one year period, the current controlled release version becomes the main release.  For more detailed information and FAQ, please go to the following KB: McAfee KnowledgeBase - Explanation of main and controlled releases in Web Gateway


    Below is a visualization of the release process:




    Best Practices

    McAfee Support recommends that you stay on the Main Release Branch instead of going to the Controlled Branch unless you have a specific purpose (for example you need a new feature urgently). Most customer environments are better off with the main release branch and maintenance releases only.


    Once you go to the Controlled Release, you cannot move back without a complete reimage and recreation of your rules. A backup from the Controlled Release cannot be imported to a Main Release version.




    Please follow the best practices when upgrading to a different version.


      • Always take a backup (Configuration > Backup/Restore)


    upgrade screen.jpg


      • Be patient! If you are upgrading from one major version to another be sure to allocate an hour (at least) for maintenance. Most times upgrades should take less than 15 minutes or less depending on how far back you are.
      • If you are updating in Central Management Mode, please read over our best practices here about dismantling the cluster. Breaking up the cluster is not required, but is recommended when there is a difference in the minor version (i.e. 7.6.x vs 7.7.x).
        • Dismantling the cluster is recommended for N+1 difference because the newer version knows of properties which are not available in the older version
        • Dismantling is not essential when there is version differences in the same micro version (i.e. and
      • We suggest doing upgrades via the command line and the "yum" command. This gives you more control and visibility into the process. Please make sure you have root access to the command line for this.
      • Always reboot appliance after upgrading
      • Have some form of console access, either physical or by DRAC/RMM. This is in the event the reboot takes longer than expected (i.e. disk check requires user interaction). Also note that if you need to reimage, the DRAC/RMM cards can be used to mount an ISO image remotely. If you need more information on how to setup DRAC/RMM, please go here.



    How to upgrade to latest version of either branch

    Please see the release notes on the Content Security Portal or McAfee Web Gateway Release Notes. Each release notes document has an upgrading section at the bottom with release specific instructions.


    release notes.jpg



    How to upgrade to a specific version

    Often time’s customers need to test specific Web Gateway versions before they can be rolled out into production. If a newer release has happened while you were testing (for example, you were testing and in the meantime was released), you have to take special steps to get to your desired version.

    On the command line execute the following commands:

    mwg-switch-repo --sticky <version number>  
    yum upgrade 

    The version number can be switched to any version such as



        • A benefit of the 'mwg-switch-repo --sticky' command, is that it ensures that your MWG is updated to your intended version.
        • Once updated to a sticky release, you will not be able to update the MWG from the UI. If you attempt to update via the MWG UI, you will receive a message stating "Nothing to update". This is because you're sticky to your current release.
        • For subsequent upgrades, you will need to issue another mwg-switch-repo --sticky <version> command as shown above.


    Useful commands:

        • How to check if you're using an MWG "sticky" release:

    mwg-switch-repo -l


    Example output: "Current Configuration: Non-sticky MWG (release)"


        • How to switch from a sticky release back to the main release repository:

    mwg-switch-repo main


    Note: Upgrading with this repository will always take you to the latest release in the Main Branch. Make sure you know the most current release within the Main repository before upgrading. This will help prevent an upgrade to an unexpected version.



    What is the latest main and controlled release?

    Current main release branch: 7.7.2.x
    Current controlled release branch: -


    Upgrades in Networks without Internet Access

    yum is a real time upgrade performed by downloading files directly from McAfee's servers. If your machines do not have access to these servers, you have to perform upgrades by re-imaging to the desired version and restoring a backup.



    Upgrades in FIPS mode

    FIPS mode does not allow you to upgrade. You need to reimage your appliance with the desired version (select FIPS again during install) and restore a backup. Note that FIPS backups cannot be restored on non-FIPS appliances.




    Downgrading an Web Gateway appliance is not supported at this time. If you still have a need for it you need to reimage with the older version and restore the backup you took before the upgrade.