cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway: Upgrade Best Practices and Understanding Release Branches

Introduction

The Web Gateway has two release branches, Main and Controlled. In this article, you should get a basic understanding about each release branch, the best practices for upgrading, and how to upgrade to the Web Gateway version you want to use.

 

Main vs Controlled

Both main and controlled release branches are fully QA tested and supported. Here are some things to expect from each branch.

Main Release Branch

    • Default version on all new Web Gateway appliances.
    • Maintenance releases are provided throughout the year (every two month).
    • Provides feature enhancements once a year.

Controlled Release Branch

    • Provides feature enhancements once every four months.
    • Patch releases are either made between feature releases or rolled in to the next one.
    • Customer have to actively decide to switch to this branch.

 

At the end of the one year period, the current controlled release version becomes the main release.  For more detailed information and FAQ, please go to the following KB: McAfee KnowledgeBase - Explanation of main and controlled releases in Web Gateway

 

Below is a visualization of the release process:

 red.png
 

Best Practices

McAfee Support recommends that you stay on the Main Release Branch instead of going to the Controlled Branch unless you have a specific purpose (for example you need a new feature urgently). Most customer environments are better off with the main release branch and maintenance releases only. 

Once you go to the Controlled Release, you cannot move back without a complete reimage and recreation of your rules. A backup from the Controlled Release cannot be imported to a Main Release version.

Upgrading

Please follow the best practices when upgrading to a different version.

    • Always take a backup (Configuration > Backup/Restore)

 

upgrading.png

 

    • Be patient! If you are upgrading from one major version to another be sure to allocate an hour (at least) for maintenance. Most times upgrades should take less than 15 minutes or less depending on how far back you are.
    • If you are updating in Central Management Mode, please read over our best practices here about dismantling the cluster. Breaking up the cluster is not required, but is recommended when there is a difference in the minor version (i.e. 7.6.x vs 7.7.x).
      • Dismantling the cluster is recommended for N+1 difference because the newer version knows of properties which are not available in the older version
      • Dismantling is not essential when there is version differences in the same micro version (i.e. 7.7.2.1 and 7.7.2.3)
    • If you have MWGs setup in a ProxyHA, Transparent Router, or Transparent Bridge cluster, see the following thread:
    • We suggest doing upgrades via the command line and the "yum" command. This gives you more control and visibility into the process. Please make sure you have root access to the command line for this.
    • Always reboot appliance after upgrading
    • Have some form of console access, either physical or by DRAC/RMM. This is in the event the reboot takes longer than expected (i.e. disk check requires user interaction). Also note that if you need to reimage, the DRAC/RMM cards can be used to mount an ISO image remotely. If you need more information on how to setup DRAC/RMM, please go here.

How to upgrade to latest version of either branch

Please see the release notes on the Content Security Portal or . Each release notes document has an upgrading section at the bottom with release specific instructions.

 

How to upgrade to a specific version

Often time’s customers need to test specific Web Gateway versions before they can be rolled out into production. If a newer release has happened while you were testing (for example, you were testing 7.5.2.1 and in the meantime 7.5.2.2 was released), you have to take special steps to get to your desired version.

On the command line execute the following commands:

  1. mwg-switch-repo --sticky <version number> 
  2. yum upgrade


The version number can be switched to any version such as 7.7.2.3

 

Notes:

      • A benefit of the 'mwg-switch-repo --sticky' command, is that it ensures that your MWG is updated to your intended version.
      • Once updated to a sticky release, you will not be able to update the MWG from the UI. If you attempt to update via the MWG UI, you will receive a message stating "Nothing to update". This is because you're sticky to your current release.
      • For subsequent upgrades, you will need to issue another mwg-switch-repo --sticky <version> command as shown above.

 

Useful commands:

      • How to check if you're using an MWG "sticky" release:

mwg-switch-repo -l

 

Example output: "Current Configuration: Non-sticky MWG 7.7.2.3 (release)"

 

      • How to switch from a sticky release back to the main release repository:

mwg-switch-repo main

 

Note: Upgrading with this repository will always take you to the latest release in the Main Branch. Make sure you know the most current release within the Main repository before upgrading. This will help prevent an upgrade to an unexpected version.

What is the latest main and controlled release?

Current main release branch: 7.7.2.x
Current controlled release branch: 7.8

Upgrades in Networks without Internet Access

yum is a real time upgrade performed by downloading files directly from McAfee's servers. If your machines do not have access to these servers, you have to perform upgrades by re-imaging to the desired version and restoring a backup.

Upgrades in FIPS mode

FIPS mode does not allow you to upgrade. You need to reimage your appliance with the desired version (select FIPS again during install) and restore a backup. Note that FIPS backups cannot be restored on non-FIPS appliances.

Downgrading

Downgrading a Web Gateway appliance is not supported at this time. If you still have a need for it you need to reimage with the older version and restore the backup you took before the upgrade.

Labels (1)
Comments

There seems to be a little problem if you upgrade from 7.2 to 7.3 and use the local bind daemon as a forwarding only DNS Server.

If so, you have configured 127.0.0.1 as DNS Server.

After the first boot (7.3.0.2) the named daemon is no longer supported. The server does not start

Any DNS query fails and the upgrade process is no longer able to reach the upgrade server. Your server runs in 7.3.0.2 but

you are no longer able to do any other upgrade. (Maybe yum is corrupt)

Conclusion: Be sure to enter a valid internet DNS server before upgrading to 7.3!!!

Frank - thanks for bringing up that topic!

Others,

what Frank refers to is the circumstance that we had allowed a few selected customers to install a local bind even before we had this feature to solve a critical business issues for them. This has not been picked up in the migration code from version to version as it is an edge case. On the other hand we have forgotten to notify these customers - so apologies on behalf of McAfee and please follow Frank's guidance!

thanks,

Michael

My upgrade tip for users:   call support first and ask them where the upgrade docs you should pay attention to are currently located.  🙂   A reasonable person looking in the content security portal might not find them, or be pointed here.  A person looking in the mysupport portal will have to wade through lots of other things to find the latest release notes, and if you leave it up to the GUI to do your appliance software update, you'll have no idea what version you're gonna get.   

So, I'd recommend a support call.  🙂

Things in the upgrade process or repositories also apparently changed earlier this week when 7.3.2.2 got moved into the main release branch.

As an example the release notes  for 7.3.0. might say say this ( don't do this--you'll get a package conflict on a 7.2.0.1 box)

yum install yumconf-7.3.0-mwg

yum upgrade yum yumconf\*

yum upgrade

Best Practices above say

yum install yumconf-7.3-mwg
mwg-dist-upgrade <version number>

Now that 7.3.2.2 has gone main branch as of this week, if you do the following on a 7.2.0.1 box

yum upgrade 

you'll end up at 7.2.0.9.  You'll need some sort of yumconf install to get where you're supposed to be, and it may happen in two steps.  I'm not sure at this point.

All this is  further complicated by the content security portal currently not having the 7.3.2.2 release notes linked from the software, but you can find them if you dig hard enough at https://mysupport.mcafee.com/Eservice/productdocuments.aspx?strPage=2&pl=0       It's also a bit of a drag that when coming from 7.2.0.1 at least, when you click to update appliance software in teh GUI, you will have no earthly idea what software version you'll end up at.   Today at least, the answer is 7.3.2.2.   

What is the right way to upgrade from 7.2.0.1 right now?   Ask support, say I.   Today, anyway, doing it in the GUI seems to be the easiest.  

Looking forward to using all of 7.3.2.2's new features though!  I managed with a lot of the fine folks at support's help...to get 3 boxes upgraded today, all in entirely different ways.      Cheers!

Can we upgrade from Main release version to controlled release version or vice-versa.???

I am using Controlled release version 7.4.1.3.0 ,can I uipgrade to Main release version 7.4.2.4.0

Correct, You will be able to upgrade to the main release version.

Thanks,is the procedure to upgrade is same??

Yes the procedure is going to be the same. If you run into any issues, feel free to contact support.

Very Nice Guide

A possible future addition is considerations for upgrading when in proxyHA (or router or bridge) with multiple appliances.

Here is a good explanation of how to upgrade with minimal interruption:

##################################################

####         Web Gateway 7.5.x / 7.6.x Memory Upgrade Needed            ####

##################################################

If you have or if you are planning on upgrading to the 7.5.x release of the Web Gateway, please ensure that you meet the necessary memory requirements for this new build.

This new build of Web Gateway requires more memory due to the addition of a 64-bit Anti-Malware Engine which is available in all 7.5.x / 7.6.x builds going forward.

Web Gateway 7.5.0 Install Guide

On page (27 - 29) we have detailed information for what is needed to upgrade your physical Web Gateway systems but if needed the link detailing the needed memory modules can be found here:

KB82852

##########################################################################

### The following section details commands for the CLI with SSH for tools like PuTTy, mRemote, SecureCRT, etc. ###

##########################################################################

If you need to know what model of Web Gateway you are running this can be validated with the following command:

  • #> mwg-info model

If you are not sure what release of Web Gateway you are on, this can be checked with the following:

  • #> mwg-info version

You can also check your memory available / free / swap with the following command:

  • #> free -g    (for GB)
  • #> free -m   (for MB)

If you are running the system with not enough memory or you have 7.5.x installed without the correct memory installed you could get errors like:

  1. 14000 Cannot Load Anti-malware Engine / Anti-Malware Engine Error

Thanks,

Andrew

Another thing you may want to keep in mind when upgrading to a controlled release is whether you use the McAfee SAAS portal in Web Hybrid mode via the MWG.  When 7.5.2 was released as a Main release it was several weeks before the SAAS portal supported it.  I had to disable my hybrid synch settings on the MWG's so I didn't get errors in my logs all day.  That would be a nice thing to see in the release notes of any major or minor upgrade - supported or not supported by SAAS and if not supported a potential date for that support.

Claire

After we upgrade the McAfee web gateway, see a increase in the traffic coming from the port 443.

Did it somehow related to upgrade?

Hello,

you mean you see more SSL traffic from endpoints or SSL traffic from MWG to the internet. Can you please explain in some more detail?

Cheers

Upgrades in Networks without Internet Access

yum is a real time upgrade performed by downloading files directly from McAfee's servers. If your machines do not have access to these servers, you have to perform upgrades by re-imaging to the desired version and restoring a backup.

As of 7.7.1 the above statement is no longer correct. 7.7.1 and later support upgrade from ISO file that has been moved onto the appliance. The command is mwg-update -o <file name> Please see the Installation Guide of the currently installed version for details. 

Contributors
Version history
Revision #:
3 of 4
Last update:
‎03-20-2018 11:03 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community