USG 20/40: Firmware Updates Load Defaults, "bad startup config"

MikeForshock
MikeForshock Posts: 40  Freshman Member
First Comment Friend Collector Third Anniversary
edited March 2022 in Security
This just keep happening to a few of our devices.
We do a firmware update from the web gui, restart device fails to restart and is factory default.
Inside the config files are all of our profiles, including a new startup-config-bad.
Loading the autobackup file from the firmware update manually (apply...) loads as expected.  This has happened multiple times now, and the worst part is that staff at the locations are not IT or technically savy and requires a truck roll.

It is happening too many times now...  
Combine with the almost trivial and elementary authentication bypasses, where is ZyXel going to send people?  

All Replies

  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    USG 40:  4.70 to 4.71 (also happened with a 4.63 to 4.70 update previously)
    USG 20 VPN: 5.20 to 5.21 (disabled auto Geo IP Updates, locked us out of remote and firewall functions. Definitions from 2015?!?!)
  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    @MikeForshock IMVHO something is harming the version upgrade process into configuration.
    I hope that any Zyxel representative could look for you, i had some bad ideas about naming a group on USG60 using an already used keyword for configuration.
    Consider to:
    • avoid any space into object names
    • restrict to alphabet, dash (-) and underdash (_) the characters used into names
    • some special characters are not "liked" in passwords (but unfortunately i don't remember which one i found few months ago...)
    • Avoid names that are the same of protocols (for instance IpSec, prefere instead something like VPN_Users or IKE_users)
    For the GeoIP db... I'm currently asking for some info into this topic.
    If you're willing to update neverthless the hiccups in geo IP i suggest to use this approach.
    • get your public current IP
    • add a security policy on top of all for access devices (USGs) from your current public IP
    • after adding the rule, save the config into your device
    • only after that, proceed to the firmware upgrade procedure. During the upgrade, the new/updates startup-config.conf will be create with the rule
    • reboot the device
    • after the reboot, login to the device and update the GoIP
    • disable/delete the rule
    This should allow you to login after the upgrade procedure has accomplished. And allow you to go further.

    Moreover...
    Consider that the configuration is migrated when you ask to download the firmware. Any subsequent edit will be "wasted" by the reboot.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @MikeForshock,
    Kindly see the Private Messages. 
    I need some informaiton to check .
    Kevin
  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    This is still going through the PM for verification and reduplication, will update when there is an update.
  • MikeForshock
    MikeForshock Posts: 40  Freshman Member
    First Comment Friend Collector Third Anniversary
    @mMontana: New process will be to disable the Geo IP rule prior to updates.  Had just not seen it happen before on other units where the updates were disabled, and the list of IPs was nearly 7 years old.  Thanks for some of the suggestions, all the groups, rules and such as unique to help identify "factory" versus "custom" definitions.

Security Highlight