Redundant Firewalls Upgrade Guide

This page provides guidance on upgrading redundant firewalls (CARP, pfsync, config sync) from 1.2.3 to 2.0.

Config sync considerations

You'll upgrade either the primary or the secondary first, leaving the other on 1.2.3 until testing is complete. Whether to choose the primary or the secondary depends on your preference, though there are additional considerations. Historically we've recommended upgrading the secondary first, verifying it functions as desired, and then upgrading the primary. However, with 2.0 the opposite may be preferable. 1.2.3 does not check the version it's syncing its config to, so it will overwrite pieces of a 2.0 config with the wrongly formatted for 2.0 old config structure. This means upgrading the primary may be preferable as 2.0 will not sync its config to 1.2.3 to avoid the problems that happen when syncing the wrong configuration version.

If you upgrade the secondary first, take the IP, username and password out of Firewall>Virtual IPs, Config sync tab until the primary is upgraded to 2.0.

pfsync considerations

The underlying pfsync protocol changed between FreeBSD 7.2 (1.2.3) and 8.1 (2.0), so these versions cannot sync their states between each other. Failover will still work normally, but not stateful failover so all existing connections will be dropped.

CARP considerations

CARP is the same between the two versions and will fail over and back just fine. Just keep in mind the above considerations with pfsync and the configuration synchronization.

Performing the upgrade

After choosing the system to upgrade, and disabling config sync if upgrading the secondary first, you can proceed with a normal upgrade as described in the Upgrade Guide.