Updating Zyxel USG FLEX, ATP, and VPN Devices from Very Old Firmware Versions

This article describes a recommended and safe approach to updating Zyxel USG FLEX, ATP, and VPN devices that have not been updated for a long time and are currently running very old firmware versions. The article focuses specifically on complex upgrade scenarios involving outdated firmware, where a direct upgrade to the latest release may result in errors, configuration loss, or unstable system behavior.

Purpose of the Article

• To describe a safe and recommended approach for upgrading from very old firmware versions to current releases.

• To highlight the risks of performing a direct upgrade without intermediate steps.

• To explain how to avoid configuration corruption or loss during the upgrade process.

• To provide an overview of firmware branch history for each device product line.

Firmware Version History

Below is a generalized firmware version history used for planning a correct and safe upgrade path.

USG FLEX:  V4.50 → V4.55 → V4.60 → V4.62 → V5.00 → V5.01 → V5.02 → V5.10 → V5.20 → V5.21 → V5.30 → V5.31 → V5.32 → V5.35 → V5.36 → V5.37 → V5.38 → V5.39 → V5.40 → V5.41

ATP: V4.32 → V4.33 → V4.35 → V4.50 → V4.55 → V4.60 → V4.62 → V5.00 → V5.01 → V5.02 → V5.10 → V5.20 → V5.21 → V5.30 → V5.32 → V5.35 → V5.36 → V5.37 → V5.38 → V5.39 → V5.40 → V5.41

VPN: V4.35 → V4.39 → V4.60 → V4.62 → V5.00 → V5.01 → V5.02 → V5.10 → V5.20 → V5.21 → V5.30 → V5.31 → V5.32 → V5.35 → V5.36 → V5.37

Recommendation:
VPN devices are particularly sensitive when upgrading from very old firmware versions, as changes to IPsec and SSL VPN functionality have accumulated across multiple branches.

How do I determine which firmware to apply before upgrading to the latest firmware? 

This information can be found in the firmware release notes (available in English only). Most, if not all, firmware release notes include a “Read Me First” section that highlights important notes and considerations specific to that firmware version.

Read Me First

Within these “Read Me First” sections, you will find information about the minimum required firmware version that must be installed before applying the firmware version described in the release notes. The following is an example from the USG FLEX 500   ZLD5.38C0 release notes:

Additional considerations

When upgrading firmware - especially on remotely deployed devices - there is a risk that an older configuration may not be fully compatible with the new firmware version.

If this occurs, the device may attempt several reboots to apply the existing startup configuration. If unsuccessful, it will automatically fall back to the system default configuration as a safety measure. This can lead to service disruption, particularly if no on-site access or assistance is available.

When upgrading a device from a very old firmware version, there is an increased risk of configuration compatibility issues during the reboot process. To minimize this risk, Zyxel strongly recommends applying the preventive steps described below before starting the firmware upgrade, as this significantly improves the chances of a smooth and successful update.

The same procedure is also recommended when performing a firmware downgrade or when installing a weekly (bug-fix) firmware, as well as in remote upgrade scenarios, where similar risks may apply.

How can this be avoided in the first place?

When applying a configuration, you usually are prompted with different rollback choices - in other words: The unit is asking "What shall I do in case I find out that the configuration you want to apply is somehow corrupted?":

By default, the device is set to “Immediately stop applying the configuration file and roll back to the previous configuration.” In most cases, this behavior works as expected. However, if the system again interprets certain configuration entries as problematic, the rollback process itself may fail. In such situations, the device may revert to the system default configuration as a self-protection mechanism.

For this reason, when applying a configuration in the context of a firmware upgrade from a very old version, Zyxel recommends selecting the third rollback option, “Ignore errors and finish applying the configuration file.” 

With this option, the device processes the configuration line by line, skips only the problematic entries, and completes the configuration load. Any ignored or failed entries are recorded in the Monitor logs, allowing administrators to review and address them afterward.

Monitor > Logs

Setenv script

During a firmware upgrade, it is not possible to manually select the rollback behavior for applying the startup configuration on reboot. To address this limitation, Zyxel provides a small helper script, commonly referred to by Support as the “setenv script.”

You can change the way the startup-config.conf file is applied. Include the setenv-startup stopon-error off command. The Zyxel Device ignores any errors in the startup-config.conf file and applies all of the valid commands. The Zyxel Device still generates a log for any errors.

CLI-commands that it writes into the unit when applied:

1. Download the setenv.zip

2. Upload and apply the script via
   Maintenance → File Manager → Shell Script

3. Create a backup of the configuration (both locally and on the device).

4. Proceed with the required firmware upgrade or downgrade.

Note: While this procedure is considered safe and significantly reduces the risk of configuration loss, unexpected issues may still occur in rare cases. Whenever possible, firmware upgrades should be performed with on-site access. Any abnormal behavior should be reported to Zyxel Support for further investigation.