I have an old firmware version on my USG/ATP/VPN and want to upgrade - what's the best way to do so?

This article mostly refers to older USG-series devices but will showcase a general approach to getting your firmware upgrade smoothly from an older version to the latest firmware version. It also shows you how to find out the proper firmware migration path of your unit.

 

Agenda

  • Basic things to consider
  • How do I know what firmware to apply before moving to the last firmware?
  • What is the optimal upgrade path?
  • Where can I find the release notes of my firmware?
  • Anything else I should consider?

 

There are some basic things to consider here:

 

How do I know what firmware to apply before moving to the last firmware? 

This can be checked in the release notes of the firmware (only available in English) - most, if not all firmware release notes contain a "Read Me First"-section, which contains some important notes regarding this firmware version:
mceclip0.png

Within these Read Me First sections, you will find information on the firmware version, which is required as a minimum before applying the respective firmware the release notes is for - here is an example from the USG310's v4.62 release notes:

mceclip1.png

This means that firmware v4.38 has to be applied before moving to this particular firmware.

 

What is the optimal upgrade path?

The general upgrade path for our professional firewalls is as following:

ATP/USG FLEX-Series:

v4.25 -> v4.30 -> v4.32 -> v4.38 -> v4.62 -> v5.00

USG-Series:

v4.25 -> v4.30 -> v4.32 -> v4.38 -> v4.62 ->v4.65

VPN-Series:

v10.01 -> v4.35 -> v4.39 -> v4.62 -> v5.02

 

The patch version of a firmware version is indicated by the number in the brackets after the firmware version, the letters before are a unique model code: v4.65(AAAA.0) for example is v4.65 for a ZyWall110 (AAAA) and Patch 0 , while v4.65(AAAA.1=) indicates Patch-Release 1 for the same device.

 

Where can I find the release notes of my firmware?

Normally, the .zip-folder containing the .bin file of the firmware also contains the release notes.

 

Anything else I should consider?

When applying firmware upgrades, especially from a remote site, there is always a chance that, for some reason, the configuration file from the older version might conflict with the newer firmware version. Usually, when this happens, the device will try 3 times to reboot itself and apply the old startup-configuration file. If this does not work, then the device as a cautionary measurement, before brick walling, will move over to system-default-configuration. This can be very frustrating and troublesome, especially if you have not set precautionary measurements in place (like being on-site or having someone on-premise to assist you in applying the startup configuration back into the firewall).

 

However, there is a solution to this problem which will, when applied before firmware upgrade, in the vast majority of these cases will lead to a smooth installation process - the exact process is described here:
Avoiding configuration corruption & crashes on firmware upgrade/downgrade ("Setenv-Script")

 

In short words, there are rollback options for when you apply a configuration - one of them being the option to skip a problematic line and proceed with the rest. By default and on a firmware upgrade, the rollback option in case of an error is to interrupt the configuration appliance process and restart the process. Thus, the above mentioned "3 times" the system retries applying the configuration. Applying the "setenv"-script hardcodes into the unit to choose the rollback option to skip the problematic lines, even for the firmware upgrades.

Articles in this section

Was this article helpful?
1 out of 4 found this helpful
Share