Recovery Steps for USG FLEX/ATP Series Application Patrol Signature Issue (Jan. 2025)
Comments
-
@DavideMauri
Application Signature Download is separated between partitions. The affected Partition is the Running Partition first. If you follow the SOP, then you´ll "Reset" on Running, you´ll do FTP Upgrade on Running with Weekly to fix it, so NO NEED to do anything on Standby Partition.
But we have some customer sharing solutions (recovery) which are NOT following the SOP shared. For example you can "switch partition" by Console or also Reboot to other partition. As these partition never download a wrong signature, their are unaffected, so no need to do anything. However this will NOT fix the "Standby Partition" in this case (once role changed to Standby Partition) the "previously affected Running partition, is now Standby" and here is the gap, this partition, still stored the wrong Application Version which need Console CLI recovery, or some process like Online Upgrade (which will be apply by default to Standby, to keep roll-back scenario) can´t work.
So we suggest everyone, to follow SOP. Yes, there are ways to bring device back online by Reset, Partition Swap or other scenarios, may also remote, but it doesn´t help you in the future, if you not follow the SOP we shared before.
I hope this makes it a bit more clear.0 -
@mocr
Bot Versions are good and you can enable Auto Update. Only Version "123" in the end was affected. You have "102" in the end of both, so fine.0 -
@USG_User
There is nothing planned and also no need. The V5.39(ABWD.1)-sig-20250124 only assist in removing the bad signature from partition, that´s it. Once this is done, you can keep this firmware or you can install last official current FCS. As the issue was NEVER firmware related, there is no need to plan a Patch 2 for this issue. Only the signature needs to be removed, which this firmware can assist with.
Thanks.0 -
Thanks Tobias. We are missing such important information.
Then we will switch back to standard V5.39(ABWD.1) to remove the "a new firmware is available" popup everytime when logging-in.
0 -
@USG_User
No Problem. You can switch back to Patch 1 or keep the Signature Version. The Signature Version is build on our latest Weekly from Bug-Fix Level, so a bit better on fix level as Patch 1. However, the next release on ZLD is planned around end of March and will be 5.40.
Thanks.0 -
Hi Tobias,
I should mention that I couldn't get ikev2 remote clients to connect to the USG while the signature version was running. Switching back to patch 1 solved the problem.
regards
0 -
Cannot enter debug mode here; pressing keys while on “Press any key to enter debug mode within 3 seconds” do nothing.
Ticket 485158
0 -
This method also worked for me. Driving to the customer site and plugging in a cable wasn't an option.
0
Zyxel Employee
Master Member
Freshman MemberCategories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 291 USG FLEX H Series
- 279 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 253 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 75 Security Highlight
