All policies lost after upgrade from 4.13 to 4.20
A coworker with a bit less Zyxel know-how atempted an upgrade of two USG1100 from 4.13 to 4.31. Obviously that won't work and according to the 4.31 README, he first upgraded to 4.20.
On that step, the startup-config.conf file was mangled.
I later found that all firewall policies and all content rules were gone (as in not there, nil, nada, empty) while the USG was running 4.20.
I was remote and busy with something else and thus I asked him to reboot again with 4.13 to re-establish the security and let me examine the config files. Unfortunately, he did not save the log as well.
Here are my questions.
1 - How can it be that all firewall policies and all content rules disapeared? I've never seen that before.
I know that one must have a look to the upgraded startup-config.conf file and compare it with the previous version. I diff the files and check then that way. There are usually some glitches, but those are minor and explainable (new features, changed features, etc.).
2 - Is there a tool/service/website/whatever, which allows me to upbload a startup-config.conf file and "test" it against newer versions? Kind of dry run of the upgrade which would tell me where to look for issues?
Yes, I can do that on the running platform. But that means I face risks, ie. like in this case that firewall policies are not configured in a productive router. And yes, one should have a test environment where this upgrade is tested before. Frankly, I do not have the possibility to have a test USG model for each of the models I have in production. There must be another way. I do have some of the Zyxel firewalls in the test lab, but by far not all models.
3 - What is the current upgrade policy? Is there a procedure/documentation/tool/etc. which would help other people to upgrade firewalls and especially keep upgraders aware of the glitches that could happen?
Yes, I am trained (up to a point). But the co-worker is not. The README section in the firmware's pdf are helping, but an overall description would help even more.
Thanks
Dan
On that step, the startup-config.conf file was mangled.
I later found that all firewall policies and all content rules were gone (as in not there, nil, nada, empty) while the USG was running 4.20.
I was remote and busy with something else and thus I asked him to reboot again with 4.13 to re-establish the security and let me examine the config files. Unfortunately, he did not save the log as well.
Here are my questions.
1 - How can it be that all firewall policies and all content rules disapeared? I've never seen that before.
I know that one must have a look to the upgraded startup-config.conf file and compare it with the previous version. I diff the files and check then that way. There are usually some glitches, but those are minor and explainable (new features, changed features, etc.).
2 - Is there a tool/service/website/whatever, which allows me to upbload a startup-config.conf file and "test" it against newer versions? Kind of dry run of the upgrade which would tell me where to look for issues?
Yes, I can do that on the running platform. But that means I face risks, ie. like in this case that firewall policies are not configured in a productive router. And yes, one should have a test environment where this upgrade is tested before. Frankly, I do not have the possibility to have a test USG model for each of the models I have in production. There must be another way. I do have some of the Zyxel firewalls in the test lab, but by far not all models.
3 - What is the current upgrade policy? Is there a procedure/documentation/tool/etc. which would help other people to upgrade firewalls and especially keep upgraders aware of the glitches that could happen?
Yes, I am trained (up to a point). But the co-worker is not. The README section in the firmware's pdf are helping, but an overall description would help even more.
Thanks
Dan
0
All Replies
-
@grokit
Regarding to your description,1. Since you updated the firmware 4.13->4.20, it is a 2 major versions jump, in this case we will suggest users to upgrade from 4.13-> 4.15->4.20 or it may have some unexpected result. To understand why customer’s settings are missing after upgrading to 4.20, can you private message configuration for me to check further?
2. Currently, we do not support this feature, however, we think this is a considerable idea and I will move this suggestion to idea section. We will evaluate it internally.
Charlie
3. Normally we will suggest users to upgrade their firmware version by version to avoid any unexpected result. However, we can also put the upgrading version suggestion in our formal release note in the future release.0 -
Hello @Zyxel_Charlie
Thanks for your reply.
1. The 4.20 readme states the following and we actually took this into account:
"Recommended upgrade to ZLD4.13 patch2 C0 or later version first before upgrade to ZLD4.20".
This is slightly different from what you propose.
I will send you the config files in a private message.
2. Thanks for considering this as an idea :-)
3. Agreed.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight