All policies lost after upgrade from 4.13 to 4.20

grokit Posts: 18  Freshman Member
Friend Collector First Comment
edited April 2021 in Security
A coworker with a bit less Zyxel know-how atempted an upgrade of two USG1100 from 4.13 to 4.31. Obviously that won't work and according to the 4.31 README, he first upgraded to 4.20.

On that step, the startup-config.conf file was mangled.
I later found that all firewall policies and all content rules were gone (as in not there, nil, nada, empty) while the USG was running 4.20.

I was remote and busy with something else and thus I asked him to reboot again with 4.13 to re-establish the security and let me examine the config files. Unfortunately, he did not save the log as well.

Here are my questions.

1 - How can it be that all firewall policies and all content rules disapeared? I've never seen that before.

I know that one must have a look to the upgraded startup-config.conf file and compare it with the previous version. I diff the files and check then that way. There are usually some glitches, but those are minor and explainable (new features, changed features, etc.). 

2 - Is there a tool/service/website/whatever, which allows me to upbload a startup-config.conf file and "test" it against newer versions? Kind of dry run of the upgrade which would tell me where to look for issues?

Yes, I can do that on the running platform. But that means I face risks, ie. like in this case that firewall policies are not configured in a productive router. And yes, one should have a test environment where this upgrade is tested before. Frankly, I do not have the possibility to have a test USG model for each of the models I have in production. There must be another way. I do have some of the Zyxel firewalls in the test lab, but by far not all models. 

3 - What is the current upgrade policy? Is there a procedure/documentation/tool/etc. which would help other people to upgrade firewalls and especially keep upgraders aware of the glitches that could happen?

Yes, I am trained (up to a point). But the co-worker is not. The README section in the firmware's pdf are helping, but an overall description would help even more. 



All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Regarding to your description,

    1. Since you updated the firmware 4.13->4.20, it is a 2 major versions jump, in this case we will suggest users to upgrade from 4.13-> 4.15->4.20 or it may have some unexpected result. To understand why customer’s settings are missing after upgrading to 4.20, can you private message configuration for me to check further?

    2. Currently, we do not support this feature, however, we think this is a considerable idea and I will move this suggestion to idea section. We will evaluate it internally.
    3. Normally we will suggest users to upgrade their firmware version by version to avoid any unexpected result. However, we can also put the upgrading version suggestion in our formal release note in the future release. 

  • grokit
    grokit Posts: 18  Freshman Member
    Friend Collector First Comment
    Hello @Zyxel_Charlie
    Thanks for your reply. 

    1. The 4.20 readme states the following and we actually took this into account:
    "Recommended upgrade to ZLD4.13 patch2 C0 or later version first before upgrade to ZLD4.20".
    This is slightly different from what you propose. 
    I will send you the config files in a private message.

    2. Thanks for considering this as an idea :-)

    3. Agreed. 

Security Highlight