How to upgrade firewall OS#

Intended audience

sysadm staff members.

Initial status#

This is the nominal status of the firewalls:

Firewall

Status

pushkin

PRIMARY

glyptotek

BACKUP

Preparation#

  • Connect to the principal (pushkin here)

  • Check the CARP status to ensure the firewall is the principal (must have the status MASTER for all the IPS)

  • Connect to the backup (glytotek here)

  • Check the CARP status to ensure the firewall is the backup (must have the status BACKUP for all the IPS)

  • Ensure the 2 firewalls are in sync:

    • On the principal, go to the High availability status and force a synchronization

    • click on the button on the right of Synchronize config to backup

../../_images/sync.png

  • Switch the principal/backup to prepare the upgrade of the master (The switch is transparent from the user perspective and can be done without service interruption)

    • [1] On the principal, go to the Virtual IPS status page

    • Activate the CARP maintenance mode

    ../../_images/carp_maintenance.png

    • check the status of the VIPs, they must be BACKUP on pushkin and PRIMARY on glyptotek

  • wait a few minutes to let the monitoring detect if there are connection issues, check ssh connection on several servers on different VLANs (staging, admin, …)

If everything is ok, proceed to the next section.

Upgrade the first firewall#

Before starting this section, the firewall statuses should be:

Firewall

Status

pushkin

BACKUP

glyptotek

PRIMARY

If not, be sure of what you are doing and adapt the links accordingly

../../_images/check_for_upgrade.png

  • follow the interface indication, one or several reboots can be necessary depending to the number of upgrade to apply

../../_images/proceed_update.png

  • repeat from the Check for upgrades operation until there is no upgrades to apply

  • Switch the principal/backup to restore pushkin as the principal:

    • on the current backup (pushkin here) go to Virtual IPS status

    • [3] click on Leave Persistent CARP Maintenance Mode

    ../../_images/reactivate_carp.png

    • refresh the page, the role should have changed from BACKUP to MASTER

    • check on the other firewall, if the roles is indeed BACKUP for all the IPs

  • Wait few moment to ensure everything is ok with the new version

Upgrade the second firewall#

Before starting this section, the firewall statuses should be:

Firewall

Status

pushkin

PRIMARY

glyptotek

BACKUP

If not, be sure of what you are doing and adapt the links accordingly

  • Proceed to the second firewall upgrade

    • perform [1] on the backup (should be glyptotek here)

    • perform [2] on the backup (should be glyptotek here)

    • perform [3] on the backup (should be glyptotek here)