USG20W-VPN Firmware Upgrade Path from v4.33 to 5.31
Hello All,
When we get our USG20W-VPN units, they arrive with 4.33 firmware on them, so we have to upgrade them to 5.31 before shipping out to customers. My question is what is the most efficient upgrade path to get from 4.33 to 5.31 without going too far to where it may impact the unit by jumping too many at a time?
Currently, I've been doing it as follows:
4.33
4.38
4.62
4.65 ABAR1
5.10
5.21 ABAR1
5.30
5.31
I know that is a bit overkill, but since I'm not certain about the jumps between firmware I decided to take it slow so I don't have a bricked unit in the off chance I skipped too many.
When we get our USG20W-VPN units, they arrive with 4.33 firmware on them, so we have to upgrade them to 5.31 before shipping out to customers. My question is what is the most efficient upgrade path to get from 4.33 to 5.31 without going too far to where it may impact the unit by jumping too many at a time?
Currently, I've been doing it as follows:
4.33
4.38
4.62
4.65 ABAR1
5.10
5.21 ABAR1
5.30
5.31
I know that is a bit overkill, but since I'm not certain about the jumps between firmware I decided to take it slow so I don't have a bricked unit in the off chance I skipped too many.
0
Accepted Solution
-
Hi @DeanH,
Yes, For the Firewall which have old version and live.
You can still jump straight to 5.31 after a backup.
Looking forward to your result. Thank you:)
Kevin0
All Replies
-
Hi @DeanH.
You can upgrade to 5.31 from 4.33 directly.
No matter what is the target version, we always suggest backup configuration before upgrade to prevent unexpected error.
Thank you
Kevin0 -
@Zyxel_Kevin do you suggest to first upgrade firmware than upload configuration or viceversa?AFAIK DeanH is talking about out of the box devices...0
-
I suggest you can install the frimware to the latest then finally upload configuration .0
-
mMontana is correct, I'm referring to brand new devices right out of the box.
So, there is no issue going from 4.33 to 5.31 in one shot on a brand spanking new device? I'll try that on my next one and let y'all know. We ship out a couple a week, so it won't be long.
Now, on one that is live and behind on firmware (you know there are still some out there because few people think about it if it ain't broke) would you still jump straight to 5.31 after a backup?0 -
Their are things that have been added like NAT with source IP which the config seeing a old format of a NAT rule and puts in defaults.
That said even the next firmware up can have problems if you start from a old config in this case the firmware fails and loads the old firmware slot. Its happened to me a couple of times in which case I login click reboot for new firmware press the reset button then login and apply your config with “Ignore errors and finish applying the configuration file” but if you can no need to load a old config.
0 -
I did not experienced the same thing PeterUK see in his experience.
However, I would not do a remote firmware upgrade of this gap of versions.
For the people "it if it ain't broke", you can ask them if they prefer having a device that anyone with a paperclip can burgle in or something patched, strenghtened and with more features (GeoIP) by the producer "for free".
Paperclip is quite a stunt but...
https://www.zyxel.com/support/CVE-2020-29583.shtml
https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml
These two advisories are between alert and critical, in legal-jam.
In tech jargon, quite between "f#ck me with sandpaper" and "yesterday was apocalypse and it was an easy day".
Maybe you can print both of them and hand to them ask a also little signature on a specific exclusion of liability for not allowing you to upgrade firmware.
When (not if) the device will be taken over, people could only blame themeselves.
0 -
Hi @DeanH,
Yes, For the Firewall which have old version and live.
You can still jump straight to 5.31 after a backup.
Looking forward to your result. Thank you:)
Kevin0 -
Hello all,
PeterUK, thank you for that. I will keep that in mind if I get into that kind of jam. I have configs from older firmware versions just in case I need to figure out what it was versus what it now needs to be. Each time a new firmware comes out, I save a new version of the base config to make it easier.
mMontana, thanks for the colorful commentary and links.
We have some customers that buy it outright without the maintenance plan. Those are the ones that usually come up six months or a year later and say they need help with their firewall. Of course, we charge them since we told them in the beginning that they are on their own after initial configuration and installation.
Others we have on a maintenance plan where we keep up with them.
Zyxel_Kevin, thank you for that. I do take backups before upgrading, so hopefully, it won't be so bad. I have a new one going out today where I did jump from 4.33 to 5.31 and I'll configure it and ship it out. We'll see how the install goes.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight