USG20W-VPN Firmware Upgrade Path from v4.33 to 5.31

DeanH
DeanH Posts: 47  Freshman Member
First Comment Fourth Anniversary
Hello All,

When we get our USG20W-VPN units, they arrive with 4.33 firmware on them, so we have to upgrade them to 5.31 before shipping out to customers.  My question is what is the most efficient upgrade path to get from 4.33 to 5.31 without going too far to where it may impact the unit by jumping too many at a time?

Currently, I've been doing it as follows:
4.33
4.38
4.62
4.65 ABAR1
5.10
5.21 ABAR1
5.30
5.31

I know that is a bit overkill, but since I'm not certain about the jumps between firmware I decided to take it slow so I don't have a bricked unit in the off chance I skipped too many.

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Answer ✓
    Hi @DeanH,
    Yes, For the Firewall which have old version and live. 
    You can still jump straight to 5.31 after a backup.
    Looking forward to your result. Thank you:)
    Kevin

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @DeanH
    You can upgrade to 5.31 from 4.33 directly. 
    No matter what is the target version, we always suggest backup configuration before upgrade to prevent unexpected error.
    Thank you
    Kevin
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    @Zyxel_Kevin do you suggest to first upgrade firmware than upload configuration or viceversa?
    AFAIK DeanH is talking about out of the box devices...
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    I suggest you can install the frimware to the latest then finally upload configuration .
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Any news, @DeanH?
  • DeanH
    DeanH Posts: 47  Freshman Member
    First Comment Fourth Anniversary
    mMontana is correct, I'm referring to brand new devices right out of the box.

    So, there is no issue going from 4.33 to 5.31 in one shot on a brand spanking new device?  I'll try that on my next one and let y'all know.  We ship out a couple a week, so it won't be long.

    Now, on one that is live and behind on firmware (you know there are still some out there because few people think about it if it ain't broke) would you still jump straight to 5.31 after a backup?
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 2022

    Their are things that have been added like NAT with source IP which the config seeing a old format of a NAT rule and puts in defaults.

    That said even the next firmware up can have problems if you start from a old config in this case the firmware fails and loads the old firmware slot. Its happened to me a couple of times in which case I login click reboot for new firmware press the reset button then login and apply your config with “Ignore errors and finish applying the configuration file” but if you can no need to load a old config.


  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited July 2022
    I did not experienced the same thing PeterUK see in his experience.
    However, I would not do a remote firmware upgrade of this gap of versions.

    For the people "it if it ain't broke", you can ask them if they prefer having a device that anyone with a paperclip can burgle in or something patched, strenghtened and with more features (GeoIP) by the producer "for free".

    Paperclip is quite a stunt but...
    https://www.zyxel.com/support/CVE-2020-29583.shtml
    https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml
    These two advisories are between alert and critical, in legal-jam.
    In tech jargon, quite between "f#ck me with sandpaper" and "yesterday was apocalypse and it was an easy day".
    Maybe you can print both of them and hand to them ask a also little signature on a specific exclusion of liability for not allowing you to upgrade firmware.
    When (not if) the device will be taken over, people could only blame themeselves.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Answer ✓
    Hi @DeanH,
    Yes, For the Firewall which have old version and live. 
    You can still jump straight to 5.31 after a backup.
    Looking forward to your result. Thank you:)
    Kevin
  • DeanH
    DeanH Posts: 47  Freshman Member
    First Comment Fourth Anniversary
    Hello all,

    PeterUK, thank you for that.  I will keep that in mind if I get into that kind of jam.  I have configs from older firmware versions just in case I need to figure out what it was versus what it now needs to be.  Each time a new firmware comes out, I save a new version of the base config to make it easier.

    mMontana, thanks for the colorful commentary and links. :smiley:
    We have some customers that buy it outright without the maintenance plan.  Those are the ones that usually come up six months or a year later and say they need help with their firewall.  Of course, we charge them since we told them in the beginning that they are on their own after initial configuration and installation.
    Others we have on a maintenance plan where we keep up with them.

    Zyxel_Kevin, thank you for that.  I do take backups before upgrading, so hopefully, it won't be so bad.  I have a new one going out today where I did jump from 4.33 to 5.31 and I'll configure it and ship it out.  We'll see how the install goes.