Best Practices for Updating Secure Web Gateway
Before you begin an upgrade, it's important to adhere to the best practices outlined below:
-
Always take a configuration backup. For steps, see the product guide for your release.
-
When you upgrade from one major version to another, make sure to allocate at least one hour for maintenance. Most upgrades take less than 15 minutes, but the length of time depends on the age of your current installed release and target version.
-
Always reboot the appliance after the upgrade.
-
Always have some form of console access, either physical or by DRAC/RMM to the appliance available. This recommendation is in case the reboot takes longer than expected. For example, disk check requires user interaction. Also, if you need to reimage, you can use the DRAC/RMM cards to mount an ISO image remotely.
-
To upgrade to the latest version of WG, or to upgrade to a specific version of WG, search for the version here.
Upgrade to a Sticky Version
To test specific SWG versions before they can be rolled out into production, or if you have an intermediate upgrade step scheduled, you can use the "sticky" command to avoid upgrading to the most recent version of SWG. These steps can be performed only from the appliance command line.
You can also determine if you're using a sticky version or a non-sticky version of SWG. If you see the error saying Nothing to update, your current release is set as the sticky release.
IMPORTANT: When your current release is updated to a sticky release, you can't update SWG from the Manager.
To upgrade SWG to a sticky version:
- Log on to the SWG command line as a root user.
- Type
mwg-switch-repo -l
and press Enter. The output of this command can help you identify if a sticky bit is already set:
Current Configuration: Non-sticky
A benefit of themwg-switch-repo --sticky
command is that it makes sure that your WG is updated to your intended version.
- Define the version you want to update. Type
mwg-switch-repo --sticky <version number>
and then press Enter. The version number can be switched to any version. - To start the update process, type
yum upgrade
and then press Enter.
Notes
- If you try to update via the WG manager while your current release is set as the sticky release, you see the error below:
Nothing to update
- To perform subsequent upgrades, you must issue another
mwg-switch-repo --sticky <version>
command as shown above.
- To switch back to the main release, type
mwg-switch-repo main
and press Enter.
- Upgrading with this repository always takes you to the latest release in the Main Branch. Make sure you know the most current release within the Main repository before upgrading. This information can help prevent an upgrade to an unexpected version. You can verify the current main version using the Content Security Portal.
Upgrades in Central Management Mode
If you’re updating in Central Management mode, please be aware of the following:
-
Breaking up the cluster isn’t needed, but we recommend it when there’s a difference in the main version (for example, 8.1.x and 8.2.x). The reason is because the newer version has properties that are unavailable in the older version. Although it's not a technical requirement to break the cluster before an upgrade, it's a best practice
-
Perform the upgrade by removing all appliances separately from the Central Management cluster before you upgrade and then update each appliance individually.
-
After you successfully update all your appliances, add them back to the Central Management cluster.
-
Dismantling is not essential when there are version differences in the same Feature or Maintenance version.
- To update the appliance software on the nodes of a Central Management configuration, you can perform the update procedure from the user interface of one of the nodes. That node is then the last to be updated.
NOTE: All appliances in a Central Management cluster must have the same WG software version.
Central Management upgrade process:
- Log on to the primary node interface.
- Create and save your backup file by clicking Troubleshooting, <appliance name>, Backup/Restore.
NOTE: Because all nodes in Central Management have a copy of each others' configuration, you have to create only one backup.
- Remove an appliance node from Central Management:
- Click the Configuration tab. You see all nodes in Central Management in the tree on the left.
- Highlight the node you want to remove from Central Management and click Delete.
- Log on to the standalone node that you deleted from Central Management in step 3.
- Continue with the software upgrade:
- Click the Configuration tab.
- Highlight the node host name.
- Click Update appliance software.
- Repeat steps 3–5 for the remaining nodes.
- After you've upgraded all nodes, rejoin nodes to Central Management from the primary node:
- Log on to the primary node interface.
- Select Configuration, Appliances.
- On the appliances toolbar, click Add/Join.
- Type the Host name or the IP address of the appliance that you want to add.
- From the Network group, select a network group for the new appliance.
- Click Add appliance.
- Click OK.
Upgrade Appliances Set up as a ProxyHA, Transparent Router, or Transparent Bridge Cluster
To upgrade SWG appliances set up as a ProxyHA, Transparent Router, or Transparent Bridge cluster:
You can leave the nodes as is or you can perform the following. Leaving the nodes as is interrupts traffic, whereas performing the following has minimal interruption. This method focuses on taking old nodes out of service, upgrading them, and then transitioning new nodes into service.
- Identify a redundant director node or scanning node that you want to upgrade. Take a backup before beginning as usual.
- Remove the port redirects under Configuration, Proxies. By removing the port redirects, this node stops receiving traffic from the director.
- Upgrade the node.
- When upgraded, add the removed port redirects back in, so the node starts receiving traffic again.
- Leave as standalone or add to the upgraded cluster.
- Now that the redundant director node and scanning nodes are upgraded, you can upgrade the current director node.
- Adjust the priority to be zero or lower than the redundant director. This new value transitions traffic from the director node to the redundant director node.
- Perform steps 1a–d listed above.
NOTES:- We recommend that you perform upgrades via the command line using the yum command. This approach gives you more control and visibility in the process. Make sure that you have root access to the command line.
- In between each of these steps, we recommend that you verify that traffic is passing normally. This way you can easily revert to the last step. In step 2a, you might see an issue if you don't have a redundant director.
Upgrades in Networks Without Internet Access
If your network doesn't have internet access, you can perform the upgrade process using Yum. Yum is a real-time upgrade performed by downloading files directly from our servers. If your appliances don’t have access to these servers, you must perform the upgrades by reimaging to the needed version and restoring a backup.
Upgrades in FIPS Mode
FIPS mode doesn't allow you to upgrade. You must reimage your appliance with the needed version (and again, select FIPS during the install), and then restore a backup. SWG v7.8.2 is the latest product version that is FIPS-certified.
NOTE: FIPS backups can’t be restored on non-FIPS appliances.
Downgrading
Downgrading a Skyhigh Secure Web Gateway appliance isn't supported. If you need to run an earlier release, you must reimage the appliance with the needed version and restore the backup taken before the upgrade.
Points to Remember
- The Web Gateway (SWG) primarily uses the .backup extension for backup files, though it also accepts other extensions like .bak for restoring configurations.
- Skyhigh recommends using the '.backup' extension for backup and restore of configurations.
- Do not attempt to change the backup file extension in the SWG UI. To change the extension, modify it either before downloading or after the download is complete.
NOTE: If you aren’t prompted with a pop-up to save the file to your desired path, it’s likely that your browser is automatically saving downloads to the Downloads folder. To resolve this, adjust your settings to Ask where to save each file before downloading.