BLISLI



« | »

How to Upgrade a Juniper HA Netscreen or SSG Firewall

These notes assume that the bootloader is already up to date, and that we’re just upgrading the ScreenOS software.

Standalone Firewall

1) Download the latest ScreenOS release and release notes from Juniper support.
2) Backup (save) the config via GUI:
Configuration -> Update -> Config File -> Save to File
or Save Config via CLI: "save config to tftp ?"
3) Configuration -> Update -> Firmware/ScreenOS -> Load File. The Netscreen or SSG will now reboot and come back up at the new version.

——————————————————————-

Upgrade HA NSRP Pair – IN ATIVE/STANDBY Mode

– Upgrade Standby Unit First
– Configuration -> Update -> ScreeOS/Keys -> Firmware (ScreenOS) -> Load File -> Apply
– This will upload file, apply new image, and reboot. WebUI will time out while device is rebooting. WebUI should refresh back to Netscreen login page after it reboots – may take several minutes (after 5 min or so if it doesn’t refresh back to login page, hit the refresh button every 1-2 mins).
– Login and Confirm Home page shows new version
– Failover to secondary (On Primary: exec nsrp vsd-group 1 mode ineligible) – you can confirm group 1 is the correct VSD group through Network -> NSRP -> VSD Group
– Confirm Secondary is Master (from CLI prompt should change from (B) (backup) to (M) (master).

– Upgrade Primary
– Login to Primary Confirm home screen shows new version
– On Primary: exec nsrp sync rto all from peer (syncs objects with secondary)
– Primary may fail back to master after it upgrades/reboots (if preempt is enabled); if it does not, and secondary is still active after the primary upgrade, manually fail primary back to active/master from secondary by using: exec nsrp vsd-group 1 mode backup
——————————————————————-
Upgrade HA NSRP Pair – IN ATIVE/ACTIVE Mode
Similar to the above note, except:
Fail over master/B (Group # changes):
• If the preempt option is enabled:
exec nsrp vsd-group 1 mode ineligible
• If the preempt option is not enabled:
exec nsrp vsd-group 1 mode backup
Then fail over other device and upgrade.
Followed by SYNC: exec nsrp sync rto all
Note: Use "get nsrp" from the CLI (or viewed through the WebUI) to make sure you’re using the correct VSD group in the commands above. Also use "get system" after the upgrade to confirm the upgrade was successful and reflects the new version.

——————————————————————-
Upgrade using the CLI

To upgrade and downgrade ScreenOS via the CLI, perform the following steps:

  1. Log in to the security device using an application such as Telnet or Secure Shell (SSH) or Hyper Terminal, if directly connected through the console port. Log in as the root admin or an admin with read-write privileges.
  2. Before upgrading or downgrading a security device, save the existing configuration file to avoid losing any data:

    save config to tftp <ip_addr> <filename.cfg>
    For example:  save config to tftp 1.1.1.1 ssg5_date.cfg

    where:
    ip_addr is the IP address tftp server
    filename.cfg is the name of the Config File.

  3. For simplicity, copy the ScreenOS firmware file to the TFTP server root folder.
    Note: Important note:  Make sure that that the ScreenOS has been extracted from the ZIP folder.
  4. Start the TFTP server, by double-clicking on the TFTP server application.
  5. Save the ScreenOS firmware to flash by entering the command:

    save soft from tftp [ip_addr] [filename] to flash
    Where:
    ip_addr is the IP address of your computer
    filename is the name of the ScreenOS firmware.

    Following output is seen when the file is downloaded:

    ssg20-> save software from tftp 172.16.10.10 SSG5SSG20.5.4.0r10.0 to flash
    Load software from TFTP 172.16.10.10 (file: SSG5SSG20.5.4.0r10.0).

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    tftp received octets = 12427198
    tftp success!
    TFTP Succeeded
    Save to flash. It may take a few minutes ...platform = 20, cpu = 1, version = 18
    update new flash image (04aa4020,12427198)
    platform = 20, cpu = 1, version = 18
    offset = 20, address = 8000000, size = 12427120
    date = 71e0f038, sw_version = 71e0f03c, cksum = 41d65212
    software major version is not same, accept this firmware? y/[n] y <==== Enter Y here
    Program flash (12427198 bytes) ...
    ++++++++++++++++++++++++++++++++++++++++++++++++++done
    Done
    ssg20->

  6. When the upgrade or downgrade is complete, you must reset the security device.   Execute the reset command and enter y at the prompt to reset the device
    ssg20-> reset <<=========Reboot the firewall using 'reset' command
    System reset, are you sure? y/[n] y <<===Enter Y here
    In reset ...

  7. Wait a few minutes, and then log in to the security device again.
  8. Use the command 'get system' to verify the version of the security device ScreenOS firmware.
  9. Use the command ‘get config‘ to review the configuation.
  10. (Not required) If the existing configuration is incorrect, which can happen on a downgrade, upload the configuration file that you saved in step 3 by executing the command:
    save config to flash from tftp <ip_addr> <filename>

    Then execute the reset command and enter n at the prompt to save the config:

    ssg20-> reset <<=========Reboot the firewall using 'reset' command
    ssg20> Configuration modified, save? [y]/n n   <<=========Enter 'n'; otherwise you will overwrite the configuration you just copied to flash
    System reset, are you sure? y/[n] y <<===Enter Y here
    ssg20-> reset

    Wait a few minutes, and then log in to the security device again.
    Note:  If you inadvertantly entered y at the ‘Configuration modified, save?’ prompt, then simply repeat step 10 and enter n.

Also see:  http://kb.juniper.net/index?page=content&id=KB13672&pmv=print

Posted by on July 27, 2011.

Categories: Juniper, Network

0 Responses

Leave a Reply

« | »




Recent Posts


Pages



About BLISLI

What is Blisli?more →

Switch to our desktop site