Managing Different Firewall Software Versions

InCenter is able to manage nodes running different firewall software versions. This section describes the issues related to managing nodes running various software versions and also describes these node's relationship with the version of InCenter itself.

Note that for cOS Stream software, version management by InCenter is only available from node software version 3.00.00 and later.

Upgrading Both InCenter and Nodes

For InCenter versions after 1.67.00 there is no longer a tight coupling between InCenter and the software running on the nodes that it manages. This means that the node's software version can be upgraded without requiring a matching upgrade of the InCenter version.

However, it is still recommended that the InCenter version is upgraded when a new version becomes available. When upgrading both the InCenter version and the software version of the nodes it manages, InCenter should be upgraded first.

Upgrading of node software is done as normal, by connecting to each node directly, outside of InCenter, and uploading the relevant upgrade package. This is described in the separate Administration Guide for the node software. Upgrading the node will not, by itself, change the version information held by InCenter.

InCenter Upgrades Will Change the Highest Supported Version

In order for InCenter to be able to correctly manage a particular version of firewall software, its database must contain the full details of the features in that version. It is for this reason that InCenter may need to be upgraded together with the firewalls under its control.

The administrator may not be able to configure a particular feature in a node of the InCenter software version is unaware of this feature.

Updating the InCenter Node After Upgrading the Firewall

There are two software version numbers when InCenter manages firewalls: the software version on the firewall itself and the version in InCenter's local Node object. Ideally, they should be the same but could become out of sync after an upgrade of the firewall's software.

Resynchronization of the versions is performed automatically by InCenter when deploying configuration changes. Whenever a configuration change is deployed with the activate command, InCenter checks that its node version number matches the version number of software on the firewall itself. If the firewall has a higher version than the node in InCenter then the InCenter version is automatically upgraded before deploying the new changes and outputs a message to indicate this. A typical message is shown in the example CLI below:

admin@InCenter:/> activate
Operation in progress...-
Activate successful
Nodes activated: my-node1
Notices:		
-StandaloneNode my-node1:
Configuration upgraded from version 3.20.03 to 3.30.00
Run the "commit" command to keep the new configuration
admin@InCenter:/>

However, If the firewall software version is less than the node version held by InCenter, the activate will fail and a message is output to indicate this. The firewall software must then be upgraded before the activate can succeed.

If the activation process fails, perhaps because of a problem with a configuration change, then the node's version information in InCenter will be left unchanged.

The automatic upgrade of node version held by InCenter will work in the same way on both an HAPAir and a StandaloneNode.

Displaying the Node Software Version

A data item called Version is displayed by InCenter when it shows node information. This is the firewall software version number which is in the InCenter database for that node.

Below is an example of the version value being displayed for a node called dev1:

admin@InCenter:/> show StandaloneNode
   Name  Username  IP           Port  Version
-  ----  --------  -----------  ----  ------------
   dev1  admin     10.6.44.135  22    3.30.00.05

The version field might be blank if the node has been added but the configuration has not yet been imported or the import failed for some reason, such as having an old version which InCenter does not support.

If there is a mismatch with the software version in the InCenter database because the node has been upgraded, InCenter will detect this on the next activate operation and convert its database version so it matches.

Importing an Unsupported Version Will Not Be Allowed

If the administrator tries to add and then import a node whose software version is not supported by InCenter (because InCenter has not been upgraded), then the import will fail and InCenter will produce a message saying that the version is unsupported.