Recovery Steps for USG FLEX/ATP Series Application Patrol Signature Issue (Jan. 2025)






Symptom:
The App Patrol signature release V1.0.0.20250123.0 may create parsing error on device for On-premises mode, application patrol daemon will not work well after updating this new signature though the rest of UTM features keep running. However, the worst case is that device may get stuck if device did rebooting further no matter manually or by schedule. If the device has the following symptoms, the device is probably affected.
- Device Error: Wrong CLI command, device timeout or device logout.
- Unable to login to ATP/USG FLEX via web GUI: 504 Gateway timeout.
- CPU usage is high.
- In Monitor > Log, the message "ZySH daemon is busy" appeared.
- Unable to enter any commands on console.
- Coredump messages appear on console.
Solution:
The App Patrol signature release V1.0.0.20250123.0 has been removed.
New urgent date firmware is available to recover the affected device.
Model | Firmware link | Model | Firmware link |
---|---|---|---|
USG FLEX 100 | ATP 100 | ||
USG FLEX 100W | ATP 100W | ||
USG FLEX 100AX | ATP 200 | ||
USG FLEX 200 | ATP 500 | ||
USG FLEX 500 | ATP 700 | ||
USG FLEX 700 | ATP 800 | ||
Recovery steps:
Follow the instructions to recover the affected device.
Step 1. Configuration File Backup
- Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.
- Enter atkz -b
- Enter atgo
- Currently, your ATP/FLEX is reset to default but the startup-config.conf is already backed up. Connect your computer to the ATP/USG FLEX's lan1 to get DHCP IP address 192.168.1.33 directly.
- On your computer, open cmd and enter ftp 192.168.1.1. Login with admin and password 1234.
Enter cd /conf and get startup-config-back.conf to download the backup file. - You can find the backup file on your computer.
Step 2. Firmware Recovery
- Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.
- Enter atkz -f -l 192.168.1.1 to configure FTP server IP address.
- Enter atgof to bring up the FTP server.
- Use FTP to upload the firmware package. Keep the console session open in order to see when the firmware update finishes.
- Set your computer to use a static IP address from 192.168.1.2 ~ 192.168.1.254.
- Connect your computer to the ATP/USG FLEX's the first Ethernet port. For example, the first Ethernet port of USG FLEX 500 is P2.
- Use an FTP client on your computer to connect to ATP/USG FLEX. This example uses the ftp command in the Windows command prompt. The ATP/USG FLEX’s FTP server IP address for firmware recovery is 192.168.1.1 .
- Log in without user name (just press enter).
- Set the transfer mode to binary "bin" and transfer the firmware file from your computer to ATP/USG FLEX.
- The console session displays “Firmware received” after the FTP file transfer is complete. Then you need to wait while ATP/USG FLEX recovers the firmware (this may take up to 4 minutes). The console session displays “done” when the firmware recovery is complete. Then the ATP/USG FLEX automatically restarts.
- Login to ATP/USG FLEX's web GUI, upload and apply the backup configuration file.
Note: If you have already enabled 2FA authentication for the admin account and would like to bypass it during the recovery procedure, please disable 2FA authentication by removing "two-factor-auth admin-access activate"(as shown below) from the backup configuration file before applying it. This ensures that you can log in to the firewall normally and bypass the 2FA authentication process.
Once you have successfully removed "two-factor-auth admin-access activate", the configuration will appear as follows:
This action is the same as navigating to Object > Auth. Method > Two-factor Authentication > Admin Access > General Settings and disabling the Enable option from the Web-GUI.
Step 3. Update App-Patrol signature to 1.0.0.20250102.0 manually
Go to CONFIGURATION > Licensing > Signature Update and update App-Patrol signature manually. Make sure the version is 1.0.0.20250102.0.
Comments
-
Affected devices have FTP working with no issue. Can't we just upload the new firmware using the FTP onto the malfunctioning device? If yes, which folder? I see firmware1 and firmware2 folders. Please advise as this would allow remote resolution and save hours and hours of travel time.
Martin Brys
0 -
Hello Martin!
The steps are shared above and we have tested all other potential ways like Web Interface, SSH and also FTP without success or unexpected side-affects, so please follow the shared solution.0 -
Good evening,
it's not the first time that due to updates you are left stranded...I have no idea how much and what work is behind all the updates...but personally I'm starting to be speechless and with the idea of changing devices as soon as possible.
Since I have several devices and not all are affected, I ask...is it possible to apply the new firmware if there is NOT one of the malfunctions listed?
Thanks1 -
Hi,
The problem is also solved by downgrading the firmware and then upgrading the signatures
Obviously if you do not have firewalls exposed
Question: but will the next firmware release (e.g. 5.40) solve the problem for those who have downgraded the firmware?
ThanksRegards
D.
1 -
HI Guys,
Our FLEX 700 is alive again 😅. It took about one hour weekend time. Our invoice goes to the big "Z".
OK, where human beings are working, mistakes will be made. Insofar you get one for free. 👉️ 😉
But by the way, it seems your above mentioned recovery description contains one error or misunderstanding at least. It's correct, that we have to connect to port 3 (for USG FLEX 700) to receive an DHCP address from USG 192.168.1.33. But later, when trying to upload the fixed firmware bin file via FTP, you have to change the patch cable from port 3 to port 1!
Even if your description above says "P1", we were not aware that the port have to be changed in between. We tried different times and were surprised that we cannot establish a ftp connection. Only when switching to real P1 port it succeeded finally.
Also the download of the last config failed with us. I guess we've pressed the hard-reset button too long that the USG rebooted into factory reset instantly. But each Admin should have backups of its configs. Insofar this was no problem for us.
And finally, when accessing via WEB GUI again, we've uploaded our latest config as "startup.conf". Here the USG is immediately applying this new startup config without rebooting. But what we saw was the sandglass where we didn't know the current state for minutes. It would be better to give your backup config another name, upload it into the config table, and select it for reboot. Then the USG will rename it by itself on rebooting.
1 -
Thanks a lot for the nice documentation!
BUT….
The provided documentation is missing one important detail point:
When the affected device was successfully rebooted to the former backup partition, thus now really running with working signatures etc, the documentation leads to flashing this working partition but ignoring the really affected/bugged partition! For this it's necessary to switch/boot to the affected/bugged partition and then apply the steps from atkz -f -l 192.168.1.1 + atgof and ftp push again to be in a really clean state, otherwise the relevant partition remains affected/bugged.
0 -
I was able to successfully install the firmware.
Now I am always shown that there is a new firmware, but this is the “old” 5.39 Update 1 version. Should this be reinstalled or is the “new” version ok?0 -
Hello @Zyxel_Emily
I see no way to recover the firewalls without driving onsite with a cable and a notebook, but this is mandatory because I see that there are also disconnections (and not only CLI errors or access issues) with internet availability for those sites configured on prem.
It seems to me that we have to plan the next days to recover firewalls one by one.
0 -
After 4/5 enormous crash is necessary to make a big class action.. we need refund Zyxel mistake.. take a lawyer a ask for refund.
1 -
This unaceptable! This is the third time in as many years. I've been using Zyxel for 15 years. I have multiple devices all over the place and now have to go onsite multiple clients! How can you be so lame as not to do the baiscs of testing prior to release? Time to move on.
0
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 199 Nebula Ideas
- 125 Nebula Status and Incidents
- 6.3K Security
- 492 USG FLEX H Series
- 322 Security Ideas
- 1.6K Switch
- 83 Switch Ideas
- 1.3K Wireless
- 47 Wireless Ideas
- 6.8K Consumer Product
- 285 Service & License
- 455 News and Release
- 89 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 95 Security Highlight