/
How to Update Managed High Availability Clusters with Automatic Failover

How to Update Managed High Availability Clusters with Automatic Failover

Jan 09, 2026

To update the high availability cluster using automatic failover, both firewalls must be enabled. The passive firewall must be updated first while the active firewall keeps operating. After the passive firewall update is complete, the active firewall will automatically transfer control to the passive firewall and make it the active one. After the update of the primary firewall is complete, control will be transferred from the active secondary firewall back to the primary firewall. The secondary firewall will fall back to stay in passive mode.

If required, update your Control Center before updating your managed firewalls to a newer firmware version. After major version updates, the cluster version on the Control Center must be migrated to match the new firmware version.

The Control Center checks every hour for updates relevant to the configured cluster versions. It can take up to one hour for the updates, hotfixes, and patches to be displayed when a new cluster with a previously unused cluster version is created.

Before You Begin

If you are using SSL Inspection on your border firewall, you must add dlportal.barracudanetworks.com and d.barracudanetworks.com to the SSL Inspection Domain Exceptions on the  your CloudGen Firewall > Assigned Services > Firewall > Security Policy page. For more information, see TLS Inspection in the Firewall.

Step 1: Verify the Compatibility of the Control Center Firmware with the Managed Firewalls

Before updating a managed firewall to a higher firmware version, verify that the Control Center is running a firmware version that is equal to or higher than the highest firmware version used by a managed firewall after the update.

For more information, see Updating CloudGen Firewalls and Control Centers.

Step 2. Enable Automatic Failover

  1. Go to CONFIGURATION > Configuration Tree > Box > Box Properties.

  2. In the left menu, click Operational.

  3. Expand the Configuration Mode menu and select Switch to  Advanced View.

  4. Click Lock.

  5. From HA Firmware Update, select Automatic Failover.

  6. Click Send Changes and Activate.

Step 3. Download the Update Package to the Control Center

Download the update package to the Control Center.

  1. Log into the Control Center.

  2. Go to CONTROL > Firmware Update.

  3. In the lower half of the screen, click the Download Portal tab.

  4. Hover the mouse over the desired update package to display the download icon.

  5. Click the download icon, and select Download.

After the download finishes, the update package is available in the Files on Control Center tab.

Step 4. (optional) Create Update Groups

  1. Go to CONTROL > Firmware Update.

  2. In the ribbon bar, click Edit Groups.

  3. Click New Group. A new update group is created in the list.

  4. Hover the mouse over the new group and click the edit icon.

  5. Enter a name for the update group.

  6. (optional) Use the Filter options to display the firewalls you want to add to this group.

  7. Select, then drag and drop firewalls to the new user group.

  8. Click Save Changes.

Step 5. Select Firewalls and Schedule File Transfer

  1. Go to CONTROL > Firmware Update.

  2. Double-click on both firewalls on the HA cluster to add them to the Selected Firewall Update List.  

  3. In the Files on Control Center tab, select the update package.

  4. Click Schedule File Transfer. The New Update Task window opens.

  5. (optional) Select the Scheduling Mode and Schedule Time to schedule a time for the file transfer.

  6. Click OK.

Step 6. Schedule Update for the Secondary Firewall

  1. Go to CONTROL > Firmware Update.

  2. In the File Transfer Status column, filter for Completed Transfer. The list of completed transfers for the secondary firewall is displayed.

  3. Select the secondary firewall to perform the update.

  4. Right-click the secondary firewall and click Perform Update. The Schedule Task window opens.

  5. (optional) Configure the time and authentication settings for the update:Unsupported bulletList

  6. Click OK.

Wait for the update to finish. Depending on the system hardware, the process can last anywhere from 15 minutes (for a fast system) to 60 minutes (for flash appliances).

Unless otherwise noted, the firewall will reboot after the update.

Step 7. Schedule Update for the Primary Firewall

  1. Go to CONTROL > Firmware Update.

  2. In the File Transfer Status column, filter for Completed Transfer. The list of completed transfers for the secondary firewall is displayed.

  3. Select the primary firewall to perform the update.

  4. Right-click the primary firewall and click Perform Update. The Schedule Task window opens.

  5. (optional) Configure the time and authentication settings for the update:

    • Box Authentication – Select Trusted (Validate Key)

    • Scheduling Mode – Select Immediate Execution to update immediately, or Delayed Execution to set the time the update is triggered 

    • Priority – When multiple tasks are configured for execution, the priority setting determines the execution order.

  6. Click OK.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.