This article mostly refers to older USG-series devices but will showcase a general approach to getting your firmware upgrade smoothly from an older version to the latest firmware version. It also shows you how to find out the proper firmware migration path of your unit.
Agenda
- Basic things to consider
- How do I know what firmware to apply before moving to the last firmware?
- What is the optimal upgrade path?
- Where can I find the release notes of my firmware?
- Anything else I should consider?
There are some basic things to consider here:
- The latest 3 firmware versions can be found at www.myzyxel.com after logging yourself into your account and then navigating to the section called "Download Firmware"
- Older firmware versions than these can be found in this article:
Security Products - Firmware History Overview (FLEX, ATP, USG, VPN, ZYWALL) - You should not directly install the latest firmware in case you have an older firmware version. First, check if there is another firmware version necessary to apply before moving to that respective firmware.
- To avoid issues leading to configuration loss, please read through and eventually proceed as explained within this article:
Avoiding configuration corruption & crashes on firmware upgrade/downgrade ("Setenv-Script")
How do I know what firmware to apply before moving to the last firmware?
This can be checked in the release notes of the firmware (only available in English) - most, if not all firmware release notes contain a "Read Me First"-section, which contains some important notes regarding this firmware version:
Within these Read Me First sections, you will find information on the firmware version, which is required as a minimum before applying the respective firmware the release notes is for - here is an example from the USG310's v4.62 release notes:
This means that firmware v4.38 has to be applied before moving to this particular firmware.
What is the optimal upgrade path?
The general upgrade path for our professional firewalls is as following:
ATP/USG FLEX-Series:
USG-Series:
v4.25 -> v4.30 -> v4.32 -> v4.38 -> v4.62 ->v4.65
VPN-Series:
v10.01 -> v4.35 -> v4.39 -> v4.62 -> v5.02
The patch version of a firmware version is indicated by the number in the brackets after the firmware version, the letters before are a unique model code: v4.65(AAAA.0) for example is v4.65 for a ZyWall110 (AAAA) and Patch 0 , while v4.65(AAAA.1=) indicates Patch-Release 1 for the same device.
Where can I find the release notes of my firmware?
Normally, the .zip-folder containing the .bin file of the firmware also contains the release notes.
Anything else I should consider?
When applying firmware upgrades, especially from a remote site, there is always a chance that, for some reason, the configuration file from the older version might conflict with the newer firmware version. Usually, when this happens, the device will try 3 times to reboot itself and apply the old startup-configuration file. If this does not work, then the device as a cautionary measurement, before brick walling, will move over to system-default-configuration. This can be very frustrating and troublesome, especially if you have not set precautionary measurements in place (like being on-site or having someone on-premise to assist you in applying the startup configuration back into the firewall).
However, there is a solution to this problem which will, when applied before firmware upgrade, in the vast majority of these cases will lead to a smooth installation process - the exact process is described here:
Avoiding configuration corruption & crashes on firmware upgrade/downgrade ("Setenv-Script")
In short words, there are rollback options for when you apply a configuration - one of them being the option to skip a problematic line and proceed with the rest. By default and on a firmware upgrade, the rollback option in case of an error is to interrupt the configuration appliance process and restart the process. Thus, the above mentioned "3 times" the system retries applying the configuration. Applying the "setenv"-script hardcodes into the unit to choose the rollback option to skip the problematic lines, even for the firmware upgrades.