Juniper SSG5 防火牆ScreenOS的升級或降級:
Juniper SSG5 防火牆ScreenOS的升級或降級:
在繼續閱讀前請先看過以下連結,非常重要!!
由於Juniper SSG5防火牆ScreenOS版本的升級與降級全都使用同一個CLI命令,所以兩者適合放在一起討論。
其命令格示如下:
save
software from tftp <IP位址>
<ScreenOS檔名> to flash
reset
ScreenOS juniper官方稱它為image file,而image
file要搭配相對應的image key,系統才能正常的運作與更新。
而image key有新舊的差別,列出如下:
Old Image Key (download)
--- 適用於6.3.0r18以前之版本
在此我們只探討ssg5(本人所擁有的設備)的部分,根據個人實驗的結果,新的Image Key適用於6.3.0r19以後之版本,而舊的Image Key則適用於6.3.0r18以前之版本,記住千萬不要用錯版本,否則會發生嚴重的問題!
若你要降級的目標ScreenOS版本是6.3.0r19以後,請用新的Image Key。
若你要降級的目標ScreenOS版本是6.3.0r18以前,請用舊的Image Key。
而ScreenOS的升級與降級共有下列幾個步驟,請在CLI命令列輸入下列命令:
get system 檢查運行中的ScreenOS版本
delete crypto auth-key 移除image key
save image-key tftp 192.168.1.11
imagekey.cer 載入的image key,必須先確定欲更新的Image
key版本與ScreenOS版本是否搭配再載入,否則會發生嚴重的錯誤
save software from tftp 192.168.1.11 ssg5ssg20.6.3.0r5.0
to flash 載入要更新的ScreenOS版本
reset 重開機
get system 檢查更新後的ScreenOS版本
上述做法乃是標準程序步驟。
一般我們在更新Juniper SSG5防火牆ScreenOS時會遇到下列兩種不同的情況:
一、升、降級ScreenOS版本的範圍會跨越新、舊Image Key適用的版本範圍
如果您升、降級ScreenOS版本的範圍會跨越新、舊Image Key適用的版本範圍,則您就必須採用標準程序才行。例如要從ssg5ssg20.6.0.0r1.0升級到ssg5ssg20.6.3.0r22.0,或是從ssg5ssg20.6.3.0r23降級到ssg5ssg20.6.3.0r5.0等情形,其過程都必須依照標準程序來作業。
二、升、降級ScreenOS版本的範圍是在個別新、舊的Image Key適用版本之內
而若您升、降級ScreenOS版本的範圍是在新的Image Key適用版本之內(適用於6.3.0r19以後之版本),則您的升、降ScreenOS版本的程序可以省略移除與載入Image
Key的步驟,直接執行save software from
tftp 192.168.1.11 ssg5ssg20.6.3.0r22.0 to flash與reset命令即可,舉例來說,若您運行中的screenos版本為ssg5ssg20.6.3.0r21.0,則您可以直接在CLI模式中任意升降至ssg5ssg20.6.3.0r24、ssg5ssg20.6.3.0r23、ssg5ssg20.6.3.0r22.0、ssg5ssg20.6.3.0r20.0、ssg5ssg20.6.3.0r19.0等版本,而不用去執行移除與載入Image
Key的步驟。
相同的道理,若您升、降ScreenOS版本的範圍是在舊的Image Key適用版本之內(適用於6.3.0r18以前之版本),其步驟也一樣。
以下分別透過J-Web模式與CLI模式來說明ScreenOS升級的方法。
J-Web模式:
若要進行降級的作業,且升、降級ScreenOS版本的範圍會跨越新、舊Image Key適用的版本範圍,則我們就要在CLI命令列先執行命令 delete crypto auth-key ,然後再根據以下的程序來進行降級作業即可。
其實J-Web模式與CLI模式觀念完全一樣,差別在J-Web作業可能部分是批次作業,一次執行數個CLI命令。舉例說明如下:
例如Configuration >
Update > ScreenOS/Keys ==> Image Signature Key Update
等於CLI命令 save image-key tftp 192.168.1.6 imagekey-new.cer
例如Configuration >
Update > ScreenOS/Keys ==> Firmware Update (ScreenOS)
等於CLI命令save
software from tftp 192.168.1.6 ssg5ssg20.6.3.0r21.0
to flash
加CLI命令
reset
J-Web模式作業程序如下:
先準備好升級所需的檔案:ssg5ssg20.6.3.0r23、imagekey.cer
從6.3.0r19開始,升級防火牆OS要先載入image key,
登入您的SSG5的Web介面,在左邊的選單中,進入
Configuration > Update >
ScreenOS/Keys ==> Image Signature Key Update,
點擊”瀏覽”,切換到適當目錄,選擇imagekey.cer。
若您升、降級ScreenOS版本的範圍是在個別新、舊的Image Key適用版本之內,則可省略此步驟,直接進行ScreenOS更新作業即可。
記得要按”Apply”。
接著馬上進行ScreenOS更新:
Configuration > Update > ScreenOS/Keys ==>
Firmware Update (ScreenOS) ,
點擊”瀏覽”,切換到適當目錄,選擇ssg5ssg20.6.3.0r23檔案。
記得要按”Apply”,接著就等SSG5更新完畢囉!過程中系統會自動重新開機。
過程中可連線console,以觀察更新及重開機的過程。
CLI模式:
請您先參考以下連結:
如果您升、降級ScreenOS版本的範圍會跨越新、舊Image Key適用的版本範圍,則您就必須採用標準程序才行(如此篇文章開頭所示)。
若您升、降級ScreenOS版本的範圍是在個別新、舊的Image Key適用版本之內,程序如下:
先登入console,然後在CLI命令列輸入以下命令來載入ScreenOS。
ssg5-serial-> save software from tftp 192.168.1.11 ssg5ssg20.6.3.0r23
to flash
Load software
from TFTP 192.168.188.6 (file: ssg5ssg20.6.3.0r23).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp
received octets = 13385489
tftp
success!
TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 25, cpu = 12,
version = 18
update new flash image (02ab2dc0,13385489)
platform
= 25, cpu = 12, version = 18
offset
= 20, address = 5800000, size = 13385410
date
= 258b, sw_version = 31808000, cksum = 6bf65b86
Image
authenticated!
Program flash (13385489 bytes) ...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++ done
Done
最後記得要重開機來完成更新的動作(因此時系統仍是舊版)。
ssg5-serial->
reset
System
reset, are you sure? y/[n] y
In
reset ...
Juniper
Networks SSG5 Boot Loader Version 1.3.3 (Checksum:
C3E4C0F8)
Copyright
(c) 1997-2006 Juniper Networks, Inc.
若不移除image key而直接載入ScreenOS的結果:
ssg5-serial->
save software from tftp 192.168.1.11
ssg5ssg20.6.3.0r23 to flash
Load software
from TFTP 192.168.188.6 (file: ssg5ssg20.6.3.0r23).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
tftp
received octets = 13353346
tftp
success!
TFTP
Succeeded
Save
to flash. It may take a few minutes ...platform = 25, cpu = 12, version = 18
update new flash image (02ab2dc0,13353346)
platform
= 25, cpu = 12, version = 18
offset
= 20, address = 5800000, size = 13353268
date
= 1f08, sw_version = 31808000,
cksum = 42d91b23
********Invalid image!!!
********Bogus image - not authenticated!!!
Fips check failed
Done
ssg5-serial->
結果失敗! 並沒有執行Program flash(Save to flash)的動作。
Downgrade ScreenOS SSG
how to downgrade screenOS from latest version to earlier
version
It's not possible if you manage security device with NSM
server.
Otherwise, if you
manage this device directly (without management server),
you can connect to this device and type
From 5.X to 5.X-n or 6.X to 5.x
exec save soft from tftp IP_Addr_of_TFTP_server firmware_file to
flash
reset
exec save soft from tftp
192.168.1.12 ssg5ssg20.6.0.0r1.0 to
flash
reset
From 5.x to 4.x
exec save soft from tftp IP_Addr_of_TFTP_server firmware_file to
flash
exec downgrade