Application Patrol Signature issue of ATP & USG FLEX Series [ZLD5.00-ZLD5.21, 2022]

Last Update: 3/18 at 1:00 PM GMT+1

 

> Check out the Solution and Firmware Upgrade 5.21 Patch 1 Installation Notes <

Zyxel is aware that a recently released Application Patrol Signature V1.0.0.20220310.0 may create a parsing error on its ATP and USG FLEX firewalls running firmware version 5.00 through 5.20.

What is the issue about?
Which devices are affected?
How can I check if I am affected?
Solution
Prevention
Recovery Steps and SOP
On-Premise / Standalone Recovery
Nebula Recovery Process


What is the issue about?

The App Patrol signature release V1.0.0.20220310.0 may create parsing errors on devices for both on-premises / Standalone and on-cloud modes. The application patrol daemon will not work after updating this new signature. However, the rest of the UTM features keep running. However, the worst case is that the device may get stuck if the device did reboots further, no matter manually or by schedule.

 

Which devices are affected?

ATP and USG FLEX with Firmware 5.00 Patch 0 - 5.21 Patch 0 and Application Signature Version: V1.0.0.20220310.0 in On-Premise or Nebula Mode.

 

How can I check if I am affected?

The device is not rebooted:

mceclip0.png

Check under Configuration -> Licensing -> Signature Update if the "App Patrol" Signature is Version: V1.0.0.20220310 - If yes, you are affected.

Please continue with the Solution.

 

If your device was already rebooted and stuck with Sys blinking:
You are affected, please follow the Recovery Steps and SOP

 

Solution:

Nebula Cloud customers should have received the upgrade, if the Upgrade is not deployed yet, please be in touch with our Support.


On-Premise and Standalone, please go to this article!
(5.21 Patch 1 Upgrade and Installation Notes)

 

Prevention:
[Only do this step, if you don´t want to upgrade to 5.21 Patch 1 Fix and reboot device with current running Firmware to protect it]

Not recommended way!

In case of your environment is very critical or you expect a power outage, please use the following prevention command:

1.) Create an SSH or Web console Session

2.) Execute command: packet-trace extension-filter -w /db/etc/app_patrol/.md5sum

3.) Ctrl + C to terminate packet-trace(Stop it)
4.) You can close the Window now

5.) Reboot the device now if you see the same output as Step 2!

 

Recovery Steps and SOP: (Windows Computer needed)

In case your device already encounters this issue due to a reboot happening, we assist you in recovering the device as best as it's technically doable.


Preparation of Recovery

The first mandatory thing you will need is a Console / RS232 cable to start with the recovery. The recovery needs to be done On-Site and is not doable by a Remote Session.

Establish a Connection to Device
Baud Rate: 115200!

It's impossible to recover the device by pushing the Reset button or flash the Firmware by FTP!


On-Premise / Standalone Recovery, for Nebula, please scroll down!

Step 1 - Switch Partition & Backup Configuration
We try to achieve the following in the next steps!

mceclip0.png

1) Connect the console cable as explained in "Preparation of Recovery"

The issue looks like this:
mceclip7.png

 

2) Restart the device and enter debug mode by typing on the keyboard, i.e., Enter key multiple times when ready "Enter Debug Mode....."

Your configuration files may locate in:
Partition 1: Enter now: atcd 1
or

Partition 2: Enter now: atcd 2

One of them should boot successfully (SYS LED stops flashing). Please wait 15 minutes after Step 4!

3) Choose atcd 1 to load the partition number 1 or atcd 2 to boot partition number 2

 

4) Type atgo to reboot the device and boot up by other partition.
[Wait for max. 10 minutes now and check if Sys LED will be steady green]

[If you have previously saved the latest version and you have a local backup of your configuration, you can skip Step 5-8]

5) When the device is successfully booted (Sys not blinking anymore), go into FTP in Windows by typing ftp://192.168.1.1 (or the LAN IP of the device) 

6) Enter username and password [Credentials may admin / 1234 or an older admin password]

7) Go into the new Window that popped up and go into Standby_Conf

 

8) Download all configuration files and check the right one by opening via Editor!

USG / ATP Series - Explaining the device partitions and the different types of configuration files

9) Open, for example, the "startup-config.conf" which should be the latest configuration file and check the Firmware Version in Header
Ensure to upgrade to firmware version 5.21 Patch 1 to avoid the configuration being not read correctly.
Security Products - Firmware Overview and History Downloads for FLEX, ATP, USG, VPN, ZYWALL

mceclip0.png

 

10) Apply the Firmware to the device on RUNNING Partition and reboot it.

11) Apply the configuration backup on running partition after successfully reboot


The result after Step 11)

mceclip1.png

12) Upgrade our 5.21 Patch 1 to the "STANDBY Partition"

 

If you are stuck with the Recover SOP by any needs, feel free to be in touch with our Support Team to get assistance in your local language - How to contact the Support Team?

 

Nebula Recovery Process

 

Step 1 - Switch Partition & Backup Configuration

1) Connect the console cable as explained in "Preparation of Recovery"

2) Restart the device and enter debug mode by typing on the keyboard

Your configuration files may locate in:
Partition 1: atcd 1
or

Partition 2: atcd 2

One of them should boot successfully (SYS LED stops flashing). Please wait 15 minutes after Step 4!

3) Choose atcd 1 to load the partition number 1 or atcd 2 to boot partition number 2

 

4) Type atgo to reboot the device and boot up by other partition.
[Wait for max. 15 minutes now and check if Sys LED will be steady green]

[At this stage the device will not come Online to Nebula, as it's not in Nebula Mode, please follow the next steps!]

5) Press the RESET button on the device for 15 seconds

6) Re-login device Web GUI, choose Nebula Mode to connect the device to Nebula.
[Check Step 7, if you can't see this GUI]

mceclip1.png

[If WAN interface is static IP or PPPoE. please configure WAN settings after choosing Nebula Mode]

Note: You can skip this step if the wan interface is DHCP. The device will connect to the cloud automatically after the wan interface gets its IP address.

mceclip2.png

 

7) If you can't see Nebula GUI, the Firmware may be too old or stuck in Activation Wizard.
Go to this Page and download 5.20 Firmware ZIP File: Security Products - Firmware Overview and History Downloads for FLEX, ATP, USG, VPN, ZYWALL.

Then unpack the .zip file and manually upload the .bin file to the device.

8) Now RESET the device again

9) Now, you need to do the ZTP Process: How to register a USG FLEX/ATP/USG20(w)-VPN gateway in Nebula Control Center (NCC)
a) Un-Register the device from Nebula (copy Serial Number and Mac Address)
b) Re-Register the device into Nebula
c) Assign a device to the site
d) Choose "ZTP Deployment" - NOT NATIVE MODE! - configure WAN settings if not DHCP
e) An E-Mail with a Link is sent to you. Execute the link for configuration
f) The device is back Online into Nebula now

If you are stuck with the Recover SOP by any needs, feel free to be in touch with our Support Team to get assistance in your local language - How to contact the Support Team?

Articles in this section

Was this article helpful?
2 out of 5 found this helpful
Share

Comments

2 comments

Please sign in to leave a comment.

  • What if neither boot options load a steady sys light? Can we just upgrade the firmware over the console port?

    2
  • Hello

    Can somebody explain how to fix this issue with a Mac computer? I had yesterday a loss of electric power and my ATP200 will not boot anymore...

    0