Recovery Steps for USG FLEX/ATP Series Application Patrol Signature Issue (Jan. 2025)

Zyxel_Emily

Symptom:

The App Patrol signature release V1.0.0.20250123.0 may create parsing error on device for On-premises mode, application patrol daemon will not work well after updating this new signature though the rest of UTM features keep running. However, the worst case is that device may get stuck if device did rebooting further no matter manually or by schedule. If the device has the following symptoms, the device is probably affected.

• Device Error: Wrong CLI command, device timeout or device logout.
• Unable to login to ATP/USG FLEX via web GUI: 504 Gateway timeout.
• CPU usage is high.
• In Monitor > Log, the message "ZySH daemon is busy" appeared.
• Unable to enter any commands on console.
• Coredump messages appear on console.

Solution:

The App Patrol signature release V1.0.0.20250123.0 has been removed.
New urgent date firmware is available to recover the affected device.

Model	Firmware link	Model	Firmware link
		ATP 100	Download
		ATP 100W	Download
USG FLEX 100	Download	ATP 200	Download
USG FLEX 100W	Download	ATP 500	Download
USG FLEX 100AX	Download	ATP 700	Download
USG FLEX 200	Download	ATP 800	Download
USG FLEX 500	Download
USG FLEX 700	Download

Recovery steps:
Follow the instructions to recover the affected device.

Step 1. Configuration File Backup

1. Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.
2. Enter atkz -b
3. Enter atgo
   
4. Currently, your ATP/FLEX is reset to default but the startup-config.conf is already backed up. Connect your computer to the ATP/USG FLEX's lan1 to get DHCP IP address 192.168.1.33 directly.
5. On your computer, open cmd and enter ftp 192.168.1.1. Login with admin and password 1234.
   Enter cd /conf and get startup-config-back.conf to download the backup file.
   
6. You can find the backup file on your computer.
   

Step 2. Firmware Recovery

1. Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.
2. Enter atkz -f -l 192.168.1.1 to configure FTP server IP address.
3. Enter atgof to bring up the FTP server.
4. Use FTP to upload the firmware package. Keep the console session open in order to see when the firmware update finishes.
5. Set your computer to use a static IP address from 192.168.1.2 ~ 192.168.1.254.
   
6. Connect your computer to the ATP/USG FLEX's the first Ethernet port. For example, the first Ethernet port of USG FLEX 500 is P2.
7. Use an FTP client on your computer to connect to ATP/USG FLEX. This example uses the ftp command in the Windows command prompt. The ATP/USG FLEX’s FTP server IP address for firmware recovery is 192.168.1.1 .
8. Log in without user name (just press enter).
   
9. Set the transfer mode to binary "bin" and transfer the firmware file from your computer to ATP/USG FLEX.
   
10. The console session displays “Firmware received” after the FTP file transfer is complete. Then you need to wait while ATP/USG FLEX recovers the firmware (this may take up to 4 minutes). The console session displays “done” when the firmware recovery is complete. Then the ATP/USG FLEX automatically restarts.
    
11. Login to ATP/USG FLEX's web GUI, upload and apply the backup configuration file.

Step 3. Update App-Patrol signature to 1.0.0.20250102.0 manually
Go to CONFIGURATION > Licensing > Signature Update and update App-Patrol signature manually. Make sure the version is 1.0.0.20250102.0.

BCC

Affected devices have FTP working with no issue. Can't we just upload the new firmware using the FTP onto the malfunctioning device? If yes, which folder? I see firmware1 and firmware2 folders. Please advise as this would allow remote resolution and save hours and hours of travel time.

Martin Brys

Zyxel_Tobias

Hello Martin!

The steps are shared above and we have tested all other potential ways like Web Interface, SSH and also FTP without success or unexpected side-affects, so please follow the shared solution.

LMitc

Good evening,
it's not the first time that due to updates you are left stranded...I have no idea how much and what work is behind all the updates...but personally I'm starting to be speechless and with the idea of ​​changing devices as soon as possible.
Since I have several devices and not all are affected, I ask...is it possible to apply the new firmware if there is NOT one of the malfunctions listed?
Thanks

Ceccus

Hi,

The problem is also solved by downgrading the firmware and then upgrading the signatures
Obviously if you do not have firewalls exposed
Question: but will the next firmware release (e.g. 5.40) solve the problem for those who have downgraded the firmware?
Thanks

Regards

D.

USG_User

HI Guys,

Our FLEX 700 is alive again 😅. It took about one hour weekend time. Our invoice goes to the big "Z".

OK, where human beings are working, mistakes will be made. Insofar you get one for free. 👉️ 😉

But by the way, it seems your above mentioned recovery description contains one error or misunderstanding at least. It's correct, that we have to connect to port 3 (for USG FLEX 700) to receive an DHCP address from USG 192.168.1.33. But later, when trying to upload the fixed firmware bin file via FTP, you have to change the patch cable from port 3 to port 1!

Even if your description above says "P1", we were not aware that the port have to be changed in between. We tried different times and were surprised that we cannot establish a ftp connection. Only when switching to real P1 port it succeeded finally.

Also the download of the last config failed with us. I guess we've pressed the hard-reset button too long that the USG rebooted into factory reset instantly. But each Admin should have backups of its configs. Insofar this was no problem for us.

And finally, when accessing via WEB GUI again, we've uploaded our latest config as "startup.conf". Here the USG is immediately applying this new startup config without rebooting. But what we saw was the sandglass where we didn't know the current state for minutes. It would be better to give your backup config another name, upload it into the config table, and select it for reboot. Then the USG will rename it by itself on rebooting.

Doshgard

Thanks a lot for the nice documentation!

BUT….

The provided documentation is missing one important detail point:

When the affected device was successfully rebooted to the former backup partition, thus now really running with working signatures etc, the documentation leads to flashing this working partition but ignoring the really affected/bugged partition! For this it's necessary to switch/boot to the affected/bugged partition and then apply the steps from atkz -f -l 192.168.1.1 + atgof and ftp push again to be in a really clean state, otherwise the relevant partition remains affected/bugged.

Jenz

I was able to successfully install the firmware.
Now I am always shown that there is a new firmware, but this is the “old” 5.39 Update 1 version. Should this be reinstalled or is the “new” version ok?

GiuseppeR

Hello @Zyxel_Emily

I see no way to recover the firewalls without driving onsite with a cable and a notebook, but this is mandatory because I see that there are also disconnections (and not only CLI errors or access issues) with internet availability for those sites configured on prem.

It seems to me that we have to plan the next days to recover firewalls one by one.

Omniasrl

After 4/5 enormous crash is necessary to make a big class action.. we need refund Zyxel mistake.. take a lawyer a ask for refund.

TVMAN

This unaceptable! This is the third time in as many years. I've been using Zyxel for 15 years. I have multiple devices all over the place and now have to go onsite multiple clients! How can you be so lame as not to do the baiscs of testing prior to release? Time to move on.