I need to upgrade a Failover High Availability Cluster that is managed by a Control Center from version 8.2.0 to 8.2.1 P6. They are set up in a Peer-to-Peer configuration. According to the Control Center product guide, the Apply packages on all of the synced members option can be selected in the Packages tab of the Manage Firewalls window. My question is, will this option automatically push the package to the secondary if I install it on the primary? If so, in the Firewall Maintenance WIndow, should I select both members before selecting "Manage Firewalls", or only the primary? The alternative might be to upgrade the secondary first, and if successful, switch off the primary to allow the secondary to become primary, and when traffic flow is confirmed, upgrade the previous primary (now standby). I am concerned that a mismatch of the versions might prevent correct functioning of the failover process. Can anyone assist?
Many customer choose to upgrade one firewall at a time so that they can test the new patch(es). The main problem it will cause is that any policy changes done while they are at different versions will not synchronize. The failover functionality should still work just fine, so if the primary firewall has an issue, the standby will take over, they just might have different policy versions.
Do you recommend that I rather deselect the option to Apply packages on all of the synced members then and completely upgrade one of the firewalls first? I have an additional challenge which might complicate the process a bit. I have already upgraded 11 firewalls through the Control Center and every time after a package is installed (8.2.1, for instance), communication between the firewall and the Control Center cannot be established unless I create a temporary rule on the firewall (through the Admin Console) to allow traffic for the Control Center Management app between the firewall and Control Center on port 9005. I know this rule is not necessary under normal circumstances, but after reboot the firewall listens on the wrong region for comms from the Control Center (external zone) and to get it to listen on the appropriate region, the rule must be created or changed (disabled or enabled)! Since the upgrade, this stil happens from time to time, especially after a firewall reboots.
It is really up to you, but deselecting that option would make sense so that you can upgrade one before the other. That other issue you have run into is pretty intersting. If you like it would probably make sense to open a case with support.