Skip to main content

Welcome to Skyhigh Security!

Skyhigh Security

Upgrade Best Practices and Understanding Release Branches

The Secure Web Gateway has two release branches, Main and Controlled. In this article, you should have a basic understanding of each release branch, the best practices for upgrading, and how to upgrade to the Secure Web Gateway version you want to use.

Main vs Controlled

Both main and controlled release branches are fully QA tested and supported. Here are some things to expect from each branch.

Main Release Branch

  • Default version on all new Secure Web Gateway appliances.
  • Maintenance releases are provided throughout the year (every two months).
  • Provides feature enhancements once a year.

Controlled Release Branch

  • Provides feature enhancements once every four months.
  • Patch releases are either made between feature releases or rolled into the next one.
  • Customers have to actively decide to switch to this branch.

At the end of the one-year period, the current controlled release version becomes the main release.

Below is a visualization of the release process:


Best Practices

Skyhigh Support recommends that you stay on the Main Release Branch instead of going to the Controlled Branch unless you have a specific purpose (for example you need a new feature urgently). Most customer environments are better off with the main release branch and maintenance releases only.

Once you go to the Controlled Release, you cannot move back without a complete reimage and recreation of your rules. A backup from the Controlled Release cannot be imported to a Main Release version.


Please follow the best practices when upgrading to a different version.

  • Always take a backup (Configuration > Backup/Restore)
  • Be patient! If you are upgrading from one major version to another be sure to allocate an hour (at least) for maintenance. Most times upgrades should take less than 15 minutes or less depending on how far back you are.
  • If you are updating in Central Management Mode, please read over our best practices here about dismantling the cluster. Breaking up the cluster is not required, but is recommended when there is a difference in the minor version (i.e. 7.6.x vs7.7.x). Dismantling the cluster is recommended for N+1 difference because the newer version knows of properties that are not available in the older version
  • Dismantling is not essential when there is version differences in the same micro version (i.e. and
  • If you have Secure Web Gateways setup in a ProxyHA, Transparent Router, or Transparent Bridge cluster, see the following thread:
  • We suggest doing upgrades via the command line and the "yum" command. This gives you more control and visibility into the process. Please make sure you have root access to the command line for this.
  • Always reboot the appliance after upgrading
  • Have some form of console access, either physical or by DRAC/RMM. This is in the event the reboot takes longer than expected (i.e., disk check requires user interaction). Also note that if you need to reimage, the DRAC/RMM cards can be used to mount an ISO image remotely.

How to upgrade to the latest version of either branch

Please see the release notes on the Content Security Portal. Each release notes document has an upgrading section at the bottom with release-specific instructions.

How to upgrade to a specific version

Often time’s customers need to test specific Secure Web Gateway versions before they can be rolled out into production. If a newer release has happened while you were testing (for example, you were testing and in the meantime was released), you have to take special steps to get to your desired version.

On the command line execute the following commands:

  1. mwg-switch-repo --sticky <version number>
  2. yum upgrade

The version number can be switched to any version such as


  • A benefit of the 'mwg-switch-repo --sticky' command, is that it ensures that your Secure Web Gateway is updated to your intended version.
  • Once updated to a sticky release, you will not be able to update the Secure Web GatewayG from the UI. If you attempt to update via the Secure Web Gateway UI, you will receive a message stating "Nothing to update". This is because you're sticky to your current release.
  • For subsequent upgrades, you will need to issue another mwg-switch-repo --sticky <version> command as shown above.

Useful commands

How to check if you're using an Secure Web Gateway "sticky" release:

mwg-switch-repo -l

Example output: "Current Configuration: Non-sticky Secure Web Gateway (release)"

How to switch from a sticky release back to the main release repository:

mwg-switch-repo main

NOTE: Upgrading with this repository will always take you to the latest release in the Main Branch. Make sure you know the most current release within the Main repository before upgrading. This will help prevent an upgrade to an unexpected version.

What is the latest main and controlled release?

Current main release branch: 7.7.2.x. Current controlled release branch: 7.8

Upgrades in Networks without Internet Access

yum is a real-time upgrade performed by downloading files directly from Skyhigh Security's servers. If your machines do not have access to these servers, you have to perform upgrades by re-imaging to the desired version and restoring a backup.

Upgrades in FIPS mode

FIPS mode does not allow you to upgrade. You need to reimage your appliance with the desired version (select FIPS again during install) and restore a backup. Note that FIPS backups cannot be restored on non-FIPS appliances.


Downgrading a Secure Web Gateway appliance is not supported at this time. If you still have a need for it you need to reimage with the older version and restore the backup you took before the upgrade.

  • Was this article helpful?