Cloud Gateway Upgrade Process

Published January 6, 2023



Cisco Secure Email Cloud Gateway (formerly Cisco Cloud Email Security [CES]) is changing its upgrade process around the unupgradable option.

How is the upgrade process happening now?

After an AsyncOS version is ready for deployment for CES customers, notices are published on The status page lists the necessary information, such as the upgrade dates and content of the upgrade. Once the published dates arrive, the upgrades are carried out in a batched manner, and all allocations in the Data Centers are upgraded with the latest software version. Upgrades are completed in two phases. For compatibility purposes, the SMA (Security Management Appliance) is upgraded first at a notified date/time. ESA(s) are upgraded after the SMA upgrade window, typically a week or two after SMA releases.

There is an option for customers to get themselves a temporary ‘unupgradable’ tag in CES, which lets them stay in their current version. The unupgradable tag stays for 90 days from the date of request. Customers can request the tag using a Cisco TAC (Technical Assistance Center) support request.

Premium Support customers (SWSS) can plan their upgrades with the help of their Cisco DSM (Designated Service Manager).

There is a possibility of making an ad-hoc update request by opening a Cisco TAC support request; however, the AsyncOS version(s) availability depends on compatibility with CES. Cisco can confirm once a support request has been opened.

The change in the upgrade process is around the ‘unupgradable’ tag and hence the possibility for customers to stay on older releases for a significant amount of time.

What are the changes to the upgrade process?

The change has the following aspects:

  • At the time of upgrade of a version, if an allocation is on a version older than the version released 120 days before, it will be auto-upgraded

The upgrade in the above scenario will not consider the ‘unupgradable’ tag

What are the upgrade maintenance windows?


Maintenance Windows

Maintenance Windows: Sunday-Friday
Europe Window: 6 PM to 2 AM (BST, London)
Canada Window: 6 PM to 2 AM (PDT, Kamloops)
Americas Window: 6 PM to 2 AM (PDT, San Francisco)
APJ (Asia Pacific and Japan) Window: 6 PM to 2 AM (JST, Tokyo)

Why this change, and what is the benefit to customers?

In principle, the change in process is being made to ensure that no CES allocations stay at a version older than 120 days. This is being done to enable faster rollout of the software and reduce the effort for qualification of versions for upgrading from one version to another.

The change will enable the following:

  • Increased cadence or frequency in the rollout of features and software versions and hence better email security
  • Quicker rollouts due to smaller maintenance windows of upgrades
  • Less impact due to CVEs associated with underlying components and libraries, as the upgrades can be qualified and deployed faster


Version A had mass upgrades start on 10 Jan

Version B had Mass Upgrades start on 10 Feb

Version C is planned to start Mass Upgrades on 25 May

Case 1: Customer is on version B and does not have an unupgradable tag on 25 May

The customer will be upgraded to the latest version C. The reason is that the customer has no reservations about being upgraded.

Case 2: Customer is on version B and has an unupgradable Tag on 25 May

The customer will not be upgraded to Version C as they have an unupgradable tag and are within the limits of 120 days for the last mass upgrade.

Case 3: Customer is on version A and has an unupgradable Tag on 25 May

The customer will be upgraded to version C even though the unupgradable tag is present. This is because the 120-day rule must be followed for all allocations, and the gap between the mass upgrade start is 135 days.


Can I still plan my upgrades with the help of a TAC ticket?

Yes, customers will be able to plan for upgrades with a TAC ticket if they prefer deployment on a specific date. However, the rule that they must stay on a version that is not older than 120 days is applicable. If the above condition is not satisfied, they will be upgraded to the latest.

If I am an SWSS customer, how does it impact my process?

SWSS or premium support customers can plan their upgrades as they do now. However, their upgrades must also adhere to the 120-day rule.

We have an annual freeze from November End to January First week. Will CES upgrades happen during this time?

CES has annual freeze dates in November and December. It is usually done during the festival seasons and around the New Year.

When can the customer start requesting TAC for the specified date? After releasing a new OS? Or after mass upgrade notice?

If a version (e.g., 15.0) is announced for Mass Upgrades on 7 Apr, then customers cannot upgrade their instances to that version (15.0) before 7 Apr. They can plan only after the mass upgrade process has been completed.

How are 120 days calculated?

Whenever a start of a Mass Upgrade is announced, the start date is the reference point, and from that date, it is seen whether the customer instance is on a version that had a mass upgrade within the last 120 days. If yes, they are skipped from the current mass upgrade, provided they have the ‘unupgradable’ tag. If not, they are upgraded in the announced mass upgrade.

Additional Information

Cisco Secure Email Gateway Documentation

Secure Email Cloud Gateway Documentation

Cisco Secure Email and Web Manager Documentation

Cisco Secure Product (Rebranding) Documentation