Best practices for updating Skyhigh Web Gateway
Technical Articles ID:
KB89192
Last Modified: 2023-12-12 10:26:35 Etc/GMT
Environment
Skyhigh Web Gateway (SWG)
Summary
To upgrade to the latest version of SWG, see the appropriate SWG Release Notes. These notes provide specific upgrade instructions in the "Installation Instructions" section.
To upgrade to a specific version of SWG, see the instructions in the "Solution" section.
Best practices during upgrade
- Always take a configuration backup. For steps, see the product guide for your release.
- When you upgrade from one major version to another, make sure to allocate at least one hour for maintenance. Most upgrades take less than 15 minutes, but the length of time depends on the age of your current installed release and target version.
- Always reboot the appliance after the upgrade.
- Always have some form of console access, either physical or by DRAC/RMM to the appliance available. This recommendation is in case the reboot takes longer than expected. For example, disk check requires user interaction. Also, if you need to reimage, you can use the DRAC/RMM cards to mount an ISO image remotely.
- Upgrades in Central Management Mode
If you're updating in Central Management mode, see the "Dismantling the client" section of KB76905 - Best practices when upgrading Web Gateway appliances that are in Central Management.
- Breaking up the cluster isn't needed, but we recommend it when there's a difference in the main version (for example, 8.1.x and 8.2.x). This is because the newer version has properties that are unavailable in the older version.
- Perform the upgrade by removing all appliances separately from the Central Management cluster before you upgrade and then update each appliance individually.
After you successfully update all your appliances, add them back to the Central Management cluster.
- Dismantling is not essential when there are version differences in the same Feature or Maintenance version.
- To update the appliance software on the nodes of a Central Management configuration, you can perform the update procedure from the user interface of one of the nodes. That node is then the last to be updated.
- Upgrades with a ProxyHA, Transparent Router, or Transparent Bridge cluster
If you have the SWG appliance set up as a ProxyHA, Transparent Router, or Transparent Bridge cluster, you can leave the nodes as is or you can perform the following. Leaving the nodes as is interrupts traffic, whereas performing the following has minimal interruption.
NOTE: This method focuses on taking old nodes out of service, upgrading them, and then transitioning new nodes into service.
- Identify a redundant director node or scanning node that you want to upgrade. Take a backup before beginning as usual.
- Remove the port redirects under Configuration, Proxies. By removing the port redirects, this node stops receiving traffic from the director.
- Upgrade the node.
- When upgraded, add the removed port redirects back in, so the node starts receiving traffic again.
- Leave as standalone or add to the upgraded cluster.
- Now that the redundant director node and scanning nodes are upgraded, you can upgrade the current director node.
- Adjust the priority to be zero or lower than the redundant director. This new value transitions traffic from the director node to the redundant director node.
- Perform steps 1a–d listed above.
NOTES:
- We recommend that you perform upgrades via the command line using the yum command. This approach gives you more control and visibility in the process. Make sure that you have root access to the command line.
- In between each of these steps, we recommend that you verify that traffic is passing normally. This way you can easily revert to the last step. In step 2a, you might see an issue if you don't have a redundant director.
- Upgrades in networks without internet access
The upgrade process uses Yum. Yum is a real-time upgrade performed by downloading files directly from our servers. If your appliances don’t have access to these servers, you must perform the upgrades by reimaging to the needed version and restoring a backup.
- Upgrades in FIPS mode
FIPS mode doesn't allow you to upgrade. You must reimage your appliance with the needed version (and again, select FIPS during the install), and then restore a backup. SWG 7.8.2 is the latest product version that is FIPS-certified. SWG 8.x has no FIPS certification.
NOTE: FIPS backups can't be restored on non-FIPS appliances.
NOTE: Downgrading an SWG appliance isn't supported. If you need to run an earlier release, you must reimage the appliance with the needed version and restore the backup taken before the upgrade.
Solution
To upgrade SWG to a specific version:
You might need to test specific SWG versions before they can be rolled out into production. If a newer version is released while you're testing, you must perform special steps to upgrade to your needed version (for example, if 8.2.3 was released while you were testing 8.2.2). These steps can be performed only from the appliance command line:
- Log on to the SWG command line as a root user.
- Type mwg-switch-repo -l and press Enter. The output of this command can help you identify if a sticky bit is already set:
Current Configuration: Non-sticky
NOTE: A benefit of the mwg-switch-repo --sticky command is that it makes sure that your SWG is updated to your intended version.
- Define the version you want to update. Type mwg-switch-repo --sticky <version number> and then press Enter.
NOTE: The version number can be switched to any version, such as 8.2.3.
IMPORTANT: When updated to a sticky release, you can't update the SWG from the manager.
- Start the update process. Type yum upgrade and then press Enter.
NOTES:
- If you try to update via the SWG manager, you see the error below:
Nothing to update.
It's because your current release is set as the sticky release.
- To perform subsequent upgrades, you must issue another mwg-switch-repo --sticky <version> command as shown above.
- To switch back to the main release, type mwg-switch-repo main and press Enter.
- Upgrading with this repository always takes you to the latest release in the Main Branch. Make sure you know the most current release within the Main repository before upgrading. This information can help prevent an upgrade to an unexpected version. You can verify the current main version using the Content Security Portal.
|