Recovery Steps for USG FLEX/ATP Series Application Patrol Signature Issue (Jan. 2025)

MikeForshock

Sure would be nice to be able to roll-back these updates to signatures as a separate process

MikeForshock

Incase this issue is still lingering for others. This process recovered two of our units, but does not follow this guide exactly and your mileage may vary.

Reboot router
Login via webui
Download config and enable FTP (quickly, before it locks up!)
Reboot router again
FTP into the router, upload the date firmware provided to the root folder
Router should reboot automatically.
Login, force signature updates (DO NOT UPDATE FIRMWARE IF PROMPTED)
Reboot the router
Confirm signatures are updated to new (will NOT match the article dates!)
Save another copy of the config (cant be too safe)
Go to running firmware, use cloud update (or local copy of most recent firmware; NOT THE DATE FIRMWARE)
Router will restart
Login, verify all your settings.
Now you have a working device again.

One thing NOT mentioned in the support post is that VPN does NOT work with the date signature firmware provided! Took a few hours to diagnose that and was finally confirmed by support a day later, and there is no fix except to use the official release firmware.

Luckily we stagger all of the auto-updates across our deployments and only had a few units that got the update. If we had every unit that had gotten the update it would have been an absolute disaster, and it was already!

This has now happened two times in about a year with the USG FLEX, dev team really needs to test better.