cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

McAfee Firewall Enterprise HA Cluster Upgrade

I need to upgrade a Failover  High Availability Cluster that is managed by a Control Center from version 8.2.0 to 8.2.1 P6.  They are set up in a Peer-to-Peer configuration.  According to the Control Center product guide, the Apply packages on all of the synced members option can be selected in the Packages tab of the Manage Firewalls window.  My question is, will this option automatically push the package to the secondary if I install it on the primary?  If so, in the Firewall Maintenance WIndow, should I select both members before selecting "Manage Firewalls", or only the primary?  The alternative might be to upgrade the secondary first, and if successful, switch off the primary to allow the secondary to become primary, and when traffic flow is confirmed, upgrade the previous primary (now standby).  I am concerned that a mismatch of the versions might prevent correct functioning of the failover process.  Can anyone assist?

3 Replies
Level 13
Report Inappropriate Content
Message 2 of 4

Re: McAfee Firewall Enterprise HA Cluster Upgrade

Hello,

Many customer choose to upgrade one firewall at a time so that they can test the new patch(es). The main problem it will cause is that any policy changes done while they are at different versions will not synchronize. The failover functionality should still work just fine, so if the primary firewall has an issue, the standby will take over, they just might have different policy versions.

-Matt

Highlighted

Re: McAfee Firewall Enterprise HA Cluster Upgrade

Thanks Matt.

Do you recommend that I rather deselect the option to Apply packages on all of the synced members then and completely upgrade one of the firewalls first?  I have an additional challenge which might complicate the process a bit.  I have already upgraded 11 firewalls through the Control Center and every time after a package is installed (8.2.1, for instance), communication between the firewall and the Control Center cannot be established unless I create a temporary rule on the firewall (through the Admin Console) to allow traffic for the Control Center Management app between the firewall and Control Center on port 9005.  I know this rule is not necessary under normal circumstances, but after reboot the firewall listens on the wrong region for comms from the Control Center (external zone) and to get it to listen on the appropriate region, the rule must be created or changed (disabled or enabled)!  Since the upgrade, this stil happens from time to time, especially after a firewall reboots.

Highlighted
Level 13
Report Inappropriate Content
Message 4 of 4

Re: McAfee Firewall Enterprise HA Cluster Upgrade

It is really up to you, but deselecting that option would make sense so that you can upgrade one before the other. That other issue you have run into is pretty intersting. If you like it would probably make sense to open a case with support.

-Matt

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community