1 2 Previous Next 10 Replies Latest reply on Oct 12, 2010 12:03 PM by sliedl

    Patching Questions...

    ottawa_tech_31

      After spending quite a bit of time trying to find info in the Mcafee KB...I'm hoping to find answers (and wisdom) for the folks here..

       

      We have a pair of Sidewinders, at 7.01.02, in an active/passive setup.

       

      I have to apply some patches.

       

      From what I get, I patch the passive member first, then the primary...

       

      So..do I patch the secondary COMPLETLY in one shot, or is it "apply patch 1 the the secondary, reboot it, then patch the primary and reboot it, then apply patch 2 to the secondary and reboot, and then apply patch 2 to the primary, etc...."

        • 1. Re: Patching Questions...
          oreeh

          > From what I get, I patch the passive member first, then the primary...

           

          It really doesn't matter. However, if you patch the master first you'll have additional failover events occuring and it is a bit more work if something goes wrong.

           

          > So..do I patch the secondary COMPLETLY in one shot, or is it "apply  patch 1 the the secondary, reboot it, then patch the primary and reboot  it, then apply patch 2 to the secondary and reboot, and then apply patch  2 to the primary, etc...."

           

          There were patches in the past were the "one shot" approach (read: select multiple patches to be installed at once) didn't work.

           

          Therefore the "safest" approach is to either patch the way you described it or:

          Patch the secondary with the first patch. Reboot. Patch the secondary with the second patch. Reboot. ... Patch the secondary with patch N. Reboot. Patch the primay with the first patch. ...

          • 2. Re: Patching Questions...
            ottawa_tech_31

            so, if I have this correctly,

             

            1. Disable "auto-recover" for the cluster primary, so that it allows the secondary to become and remain MASTER. Save/Push setting.

             

            2. On secondary,

            Apply 70102H06

            Apply 70102H07

            Apply 70102H08 - reboot

            Apply 70102H09 - reboot

            Apply 70102H11 - reboot

            Apply 70102H12

            Apply 70102H14

            Apply 70102H15 - reboot

            Apply 70102H16 - reboot

            Apply 70102H17

            Apply 70102HW01 - reboot

            Apply 70102HW02 - reboot

             

            3. On primary:

             

            Apply 70102H06

            Apply 70102H07

            Apply 70102H08 - reboot (Here the cluster fails-over and remains with the secondary)

            Apply 70102H09 - reboot

            Apply 70102H11 - reboot

            Apply 70102H12

            Apply 70102H14

            Apply 70102H15 - reboot

            Apply 70102H16 - reboot

            Apply 70102H17

            Apply 70102HW01 - reboot

            Apply 70102HW02 - reboot

            4. Undo Step-one (Re-enable auto-recover on reconnect).
            5. Reboot Secondary, to ENSURE that first member is in fact the primary
            • 3. Re: Patching Questions...
              sliedl

              You do not need to disable 'auto-reconnect' on the secondary.  It can remain secondary while you install patches.

               

              Also, you do not necessarily need to reboot so many times.  I've installed ALL the available hotfixes on a 70102 firewall and it worked (with one reboot at the end).  That's no guarantee that your's will work, but you don't have to reboot all those times.

               

              Also, you do not need to install HW01 if you're installing HW02.

              • 4. Re: Patching Questions...
                PhilM
                Also, you do not need to install HW01 if you're installing HW02.

                 

                I also thought that it wasn't necessary to apply hotfix (H) patches unless instructed by Tech Support.

                • 5. Re: Patching Questions...
                  oreeh

                  Do not install HW02 on model E or earlier appliances as this will lead to trouble (even on model F appliances the patch had problems - at least for me).

                  • 6. Re: Patching Questions...
                    oreeh

                    > Apply 70102H08 - reboot (Here the cluster fails-over and remains with the secondary)

                     

                    It depends if you are running a primary/secondary cluster with a dedicated primary or not.

                    With a dedicated primary (priority set to 255) it will failover with every (!) patch install on the primary. With another priority value it will failover only once.

                     

                     

                    on 10/12/10 6:27:02 PM CEST

                     

                     

                    on 10/12/10 6:31:20 PM CEST
                    • 7. Re: Patching Questions...
                      sliedl

                      My response has always been: apply hotfixes that are relevant to your firewall setup.  If you don't run split-DNS, you do not need to the soure-port randomization hotfix.  If you don't run HA, you do not need the HA hotfixes.

                       

                      This file has a very small readme for each of the 701xx hotfixes:  ftp://ftp.securecomputing.com/packages/sidewinder/7.0.1/pkglist.txt

                       

                      You don't have to wait for Support to tell you to install a hotfix, you can always just install them all if you'd like.  That file above is the information we have on each of the patches so if you read it you'll know what each patch does.

                      • 8. Re: Patching Questions...
                        ottawa_tech_31

                        hmm...that's not what I ahve on screen...

                         

                        in High availability section (not on a member, just the actual section),  I have a checkmark for auto-recover, and the text says "The High Availability Feature will detect when a former primary cluster member has once again been placed in service. Select the option below to automatially restore that member as the primary cluster member".

                         

                        So...if I interpret that text correctly, if I patch the second member completely first, then do the primary, If the checkmark is selected, then the primary will  re-become the pirmary after every reboot...

                         

                        But if I unselect the checkmark, then once the secondary becomes the active member, it'll stay that way, allowing me to patch the (former) primary member withing a constant flip-flop of being the active firewall...

                        • 9. Re: Patching Questions...
                          oreeh

                          that's correct

                           

                           

                          Edited to add: I was referring to the cf command version of the checkbox on 10/12/10 6:44:04 PM CEST
                          1 2 Previous Next