Use Case: Upgrading Fortinet Gateways
One of the most time consuming and risky tasks while maintaining your security infrastructure is related to the process of updating devices to the latest stable version of software.
In most cases, upgrading to a new, minor or major software release will be triggered based on one of three reasons:
- The current deployed version is reaching an end of support time line defined by the vendor.
- The current deployed version has one or more discovered vulnerabilities and has been corrected by the vendor.
- The updated version offers new capabilities, features or enhancements that you would like to utilize.
The challenges around an upgrade process are related to multiple major areas:
Each upgrade can be time consuming and when taking into account environments with a large deployment then this time is multiplied by the number of devices that need the new software update.
2. Maintenance Windows
Each upgraded gateway will require (if not in a clustered mode) a maintenance window for the environment that it is affecting. Even in a clustered environment, the upgrade of a single node within the cluster will present a single point of failure during the time of the upgrade. Scheduling multiple maintenance windows per node or cluster upgrade will prolong the upgrade project.
Not all upgrades are successful, understanding that a roll-back or disaster recovery process may have to be initiated, adds risk to the specific environment and may cause prolonged downtime.
Use Case Objectives
BackBox’s Intelligent Automation provides the ability to execute pre-upgrade and post-upgrade validations to ensure that the device was upgraded to the correct version and that it contains the proper conditions to deem the upgrade a success.
In addition, BackBox provides the ability to chain multiple version upgrades in order to complete a multi-step upgrade path in an efficient and effective manner.
The built-in pre-upgrade backup procedure also insures that if at any point the upgrade fails to meet the expected success criteria, the device can be rolled-back to the previous version and associated configuration.
How BackBox Executes this Solution
As a first step the administrator will indicate and provide the target version required for the upgrade.
Once the patch files are uploaded to the BackBox server through the web interface, BackBox, either on-demand or on a pre-set schedule will execute the automated upgrade process and perform the following tasks:
- Backup the configuration files of the target devices.
- Determine (in a clustered environment) which device is primary and which are secondary.
- While connected to the secondary device, execute the pre-upgrade parameter checks including (but not limited to):
- Number of Interfaces configured
- Number of routes configured
- Number of active sessions
- Number of policy rules
- Execute the actual upgrade process as recommended by the vendor.
- Reboot the device (if required).
- Execute the additional upgrades (if running a multi-step chained upgrade).
- Execute the post-upgrade parameter check to verify the integrity of the upgrade.
- Verify that the correct target version was attained.
- Execute the same process on the primary device.
- In the event of failure during the upgrade process or validation, BackBox will roll-back to the original verified version and recover the configuration.
Meet us at the the Fortinet Accelerate 2019: