How do you update the Security Network IPS (GX) firmware to a version that is not the newest version?
By default, when upgrading the Network IPS firmware version, you will only see the option to apply the latest firmware version. This is by design. However, there may be certain circumstances that require you upgrade to a prior version than the current. Use the information in this article to accomplish this.
Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.
Things to consider prior to updating the Network IPS firmware:
- It is recommended that the given release notes for the particular firmware version be read prior to installing any firmware updates.
- Network traffic will not be inspected during the time of the firmware installation. Schedule a maintenance window as deemed appropriate.
- The appliance will reboot after the firmware installation is complete. Network traffic flow may be briefly interrupted.
- Firmware updates are not cumulative. In other words, if a Network IPS is at firmware version 4.3 and being updated to version 4.6.1, firmware version 4.4, 4.5, and 4.6 must be installed before proceeding to 4.6.1.
There are four different options available to update the Network IPS firmware to a specific version:
Option #1: Using the CLI (Command Line Interface)
- Using an SSH capable program (like PuTTY), log in to the IPS with the root credentials.
- Enter "menu" mode of lumCtrl using the
- Specify a maximum version of firmware to be installed using the
updinstver fwcommand followed by the desired version number. For example, when updating to a maximum version of 4.6 the full command will be
updinstver fw 4.6.
Caution: Running this command will begin the firmware installation process. The IPS will reboot once it has completed which will result in a disruption of traffic. Schedule for this, as needed.
The next few lines should read similar to this:
lum cmd:updinstver fw 4.6
Install updates to version
Version: Entered: '4.6'
Result of calling install update function: 0
Broadcast message from root (Tue Apr 16 12:48:29 2013):
The system is going down for reboot NOW!
- The install process will now begin as a background process and will not be visible. When the appliance reboots, this is an indication that the firmware installation is finalizing and will be completed upon reboot.
Option #2: Update Settings policy - Automatic Firmware Updates
- In the Update Settings policy, Update Settings tab, locate the Firmware Updates section.
- Enable the check box Ignore Any Product Updates or Features Later Than a Specified Version and input the firmware version to update to, but not exceed. Example:
- Select the radio button for Automatically download updates and install them.
Note: The automatic firmware updates will be installed based on the Date/Time settings in the Automatically Check for Updates section on the Update Settings tab.
- Save and deploy the new Update Settings policy to the Network IPS.
Option #3: Update Settings Policy > Scheduled Installations
- In the Update Settings policy, Scheduled Installations tab, add a new scheduled update.
- Specify the desired time for the update to start.
- For the Version: enter desire firmware version. Example:
- Click OK. Save and deploy the policy to the IPS.
- When the scheduled time occurs, the Scheduled Installation will begin and only the specified version will be installed.
Option #4: Pointing the Update Settings policy to a fake, non-existent Update Server
Note: This method requires that the firmware package files already exist in /var/spool/updates/. Be sure these exist prior to attempting the upgrade. You can manually download the package files (if needed) by accessing the IBM Security Download Center. Once authenticated, click Download under My software on the left-hand side. Under My Products, click IBM Security Network IPS (GV/GX Series) and then the appropriate product under Product Lines. Here you will find all available firmware updates. Be sure to download the .pkg upgrade package (for each version you wish to update to) and copy them to the device into /var/spool/updates/. Alternatively, you may download these using the Manual Upgrader.
- From the X-Press Update Server machine and using an SCP capable program (like WinSCP), connect to the IPS using the root credentials.
- Change directory to /var/spool/updates/.
- Check if the necessary .pkg files are there. For example, if you are updating from version 4.4 to 4.6, check for the prov_g_firm_4.5.pkg and prov_g_firm_4.6.pkg files.
- Remove any unnecessary .pkg files for versions that will not be installed. For example, if updating to 4.5, remove the prov_g_firm_4.6.pkg and any later version files.
- If any .pkg files are missing, they can be copied from your X-Press Update Server machine, in the G-Series directory: \Program Files\ISS\SiteProtector\Application Server\webserver\Apache2\htdocs\XPU\Proventia\G-Series\. Alternatively, they can be downloaded using the IBM Security Download Center or the Manual Upgrader as described at the beginning of this option.
- Using the SiteProtector console, open the Update Settings policy for the IPS. Go to the License and Update Servers tab.
- Enter a fake, non-existent sever and port number (such as
x.x.x.x port 3999) and enable it. Disable any other listed update servers.
- Save and deploy the policy to the IPS.
- In the LMI, check for updates (Manage System Settings > Administration > Check for Updates). When completed, the LMI should only see show a firmware version available for install based on the latest firmware .pkg file found in the local /var/spool/updates/ directory.