Question & Answer
Question
How do you update the Security Network IPS (GX) firmware to a version that is not the newest version?
Cause
By default, when upgrading the Network IPS firmware version, you only see the option to apply the latest firmware version. This is by design. However, there might be certain circumstances that require you upgrade to a prior version than the current. Use the information in this article to accomplish this.
Answer
Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.
Things to consider before updating the Network IPS firmware:
There are four different options available to update the Network IPS firmware to a specific version:
Option #1: Using the CLI (Command Line Interface)
Option #2: Update Settings policy - Automatic Firmware Updates
Option #3: Update Settings Policy > Scheduled Installations
Option #4: Pointing the Update Settings policy to a fake, non-existent Update Server
Note: This method requires that the firmware package files exist in /var/spool/updates/. Be sure these exist before attempting the upgrade. You can manually download the package files (if needed) by accessing the IBM Security Download Center. Once authenticated, click Download under My software on the left side. Under My Products, click IBM Security Network IPS (GV/GX Series) and then the appropriate product under Product Lines. Here you find all available firmware updates. Be sure to download the .pkg upgrade package (for each version you want to update to) and copy them to the device into /var/spool/updates/. Alternatively, you can download these using the Manual Upgrader.
Things to consider before updating the Network IPS firmware:
- It is recommended that the given release notes for the particular firmware version be read prior to installing any firmware updates.
- Network traffic is not inspected during the time of the firmware installation. Schedule a maintenance window as deemed appropriate.
- The appliance will reboot after the firmware installation is complete. Network traffic flow might be briefly interrupted.
- Firmware updates are not cumulative. In other words, if a Network IPS is at firmware version 4.3 and being updated to version 4.6.1, firmware version 4.4, 4.5, and 4.6 must be installed before proceeding to 4.6.1.
There are four different options available to update the Network IPS firmware to a specific version:
Option #1: Using the CLI (Command Line Interface)
- Using an SSH capable program (like PuTTY), log in to the IPS with the root credentials.
- Enter "menu" mode of lumCtrl using the
lumCtrl -mcommand. - Specify a maximum version of firmware to be installed using the
updinstver fwcommand followed by the desired version number. For example, when updating to a maximum version of 4.6 the full command isupdinstver fw 4.6.
Caution: Running this command begins the firmware installation process. The IPS reboots once it completes which results in a disruption of traffic. Schedule for this, as needed.
The next few lines should read similar to this:
lum cmd:updinstver fw 4.6
Install updates to version
type:
Type: 'fw'
Version: Entered: '4.6'
Result of calling install update function: 0
lum cmd:
Broadcast message from root (Tue Apr 16 12:48:29 2013):
The system is going down for reboot NOW! - The installation process now begins as a background process and is not visible. When the appliance reboots, this is an indication that the firmware installation is finalizing and is completed upon reboot.
Option #2: Update Settings policy - Automatic Firmware Updates
- In the Update Settings policy, Update Settings tab, locate the Firmware Updates section.
- Enable the check box Ignore Any Product Updates or Features Later Than a Specified Version and input the firmware version to update to, but not exceed. Example:
4.5. - Select the radio button for Automatically download updates and install them.
Note: The automatic firmware updates are installed based on the Date/Time settings in the Automatically Check for Updates section on the Update Settings tab. - Save and deploy the new Update Settings policy to the Network IPS.
Option #3: Update Settings Policy > Scheduled Installations
- In the Update Settings policy, Scheduled Installations tab, add a new scheduled update.
- Specify the desired time for the update to start.
- For the Version: enter desire firmware version. Example:
4.5. - Click OK. Save and deploy the policy to the IPS.
- When the scheduled time occurs, the Scheduled Installation begins and only the specified version is installed.
Option #4: Pointing the Update Settings policy to a fake, non-existent Update Server
Note: This method requires that the firmware package files exist in /var/spool/updates/. Be sure these exist before attempting the upgrade. You can manually download the package files (if needed) by accessing the IBM Security Download Center. Once authenticated, click Download under My software on the left side. Under My Products, click IBM Security Network IPS (GV/GX Series) and then the appropriate product under Product Lines. Here you find all available firmware updates. Be sure to download the .pkg upgrade package (for each version you want to update to) and copy them to the device into /var/spool/updates/. Alternatively, you can download these using the Manual Upgrader.
- From the X-Press Update Server machine and by using an SCP capable program (like WinSCP), connect to the IPS using the root credentials.
- Change directory to /var/spool/updates/.
- Check if the necessary .pkg files are there. For example, if you are updating from version 4.4 to 4.6, check for the prov_g_firm_4.5.pkg and prov_g_firm_4.6.pkg files.
- Remove any unnecessary .pkg files for versions that will not be installed. For example, if updating to 4.5, remove the prov_g_firm_4.6.pkg and any later version files.
- If any .pkg files are missing, they can be copied from your X-Press Update Server machine, in the G-Series directory: \Program Files\ISS\SiteProtector\Application Server\webserver\Apache2\htdocs\XPU\Proventia\G-Series\. Alternatively, they can be downloaded by using the IBM Security Download Center or the Manual Upgrader as described at the beginning of this option.
- Using the SiteProtector console, open the Update Settings policy for the IPS. Go to the License and Update Servers tab.
- Enter a fake, non-existent sever and port number (such as
x.x.x.x port 3999) and enable it. Disable any other listed update servers. - Save and deploy the policy to the IPS.
- In the LMI, check for updates (Manage System Settings > Administration > Check for Updates). When completed, the LMI should only show a firmware version available for install based on the latest firmware .pkg file that is found in the local /var/spool/updates/ directory.
Related Information
[{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Updates","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.6.1;4.6.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
25 January 2021
UID
swg21628175