Knowledge Search


×
 

How to upgrade ScreenOS either via the WebUI or CLI

  [KB13672] Show Article Properties


Summary:
This article provides information on how to upgrade and downgrade ScreenOS on the firewall.
Symptoms:
  • Upgrade ScreenOS via WebUI (Web Management) or CLI (Command Line Interface)

  • How do I upgrade ScreenOS on the Juniper firewall -- SSG, ISG, or NS device?

  • How do I update my ScreenOS?

  • Procedure to upgrade or downgrade ScreenOS via the WebUI or CLI
Cause:

Solution:

Note:  The following procedure is also documented in more detail in the Technical documentation.



  1. Go to http://www.juniper.net/techpubs/software/screenos.

  2. Select the ScreenOS version.

  3. For ScreenOS 6.0 or later, select the Upgrade Guide.

    For ScreenOS 5.4 or earlier, select the Release Notes.
Refer to the Upgrade using the WebUI and Upgrade Using the CLI sections.
Refer to http://www.juniper.net/support/eol/screenos.html for supported firmware on your device.


UPGRADE via the WEBUI


To upgrade ScreenOS via the WebUI, perform the following procedure:

Note: You can download firmware updates from the Juniper website. For more information on downloading firmware updates from the website, refer to KB7860 - Download ScreenOS Updates From the Web.

  1. Open the WebUI. For more information on accessing WebUI, refer to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI.

  2. Logon as the root admin or an admin with read-write privileges.

  3. Before upgrading or downgrading a security device, save the existing configuration file to avoid losing any data.  From the ScreenOS options menu, go to Configuration > Update, and then click Save to File.



    In the File Download dialog box, click Save. Navigate to the location, in which you want to save the configuration file (cfg.txt), and then click Save.


  4. To upgrade, go to Configuration > Update > ScreenOS/Keys:


  5. From the ScreenOS/Keys page, select the Firmware Update checkbox and click Browse:


  6. From the Choose file dialog box, select the update file, and then click Save.

    Note:  Ensure that the selected ScreenOS firmware has been extracted from the ZIP file.

    For this example, the ssg5ssg20.6.1.0r1.0 update file was selected:


  7. From the ScreenOS/Keys page, click Apply. In the Microsoft Internet Explorer window, click OK.

    Note: The firewall will automatically reboot, after OK is clicked and the firmware has been updated.



    Note: This process takes some time. Do not click Cancel or the upgrade /downgrade will fail. If you click Cancel and the upgrade fails, power off the device and then power it on again. Restart the upgrade procedure from step 2.  Leave your browser open for 5 minutes, Refresh the browser, and Login again.

Downgrade via the WEBUI
 

ScreenOS downgrade is not possible via the WebUI. The downgrade has to be performed via the CLI.


Upgrade and downgrade via the CLI

To upgrade and downgrade ScreenOS via the CLI, perform the following procedure:

Note: You can download firmware updates from the Juniper website. For more information on downloading firmware updates from the website, refer to KB7860 - Download ScreenOS Updates From the Web.

  1. Log in to the security device using an application such as Telnet or Secure Shell (SSH) or Hyper Terminal, if directly connected through the console port. Log in as the root admin or an admin with read-write privileges.

  2. Before upgrading or downgrading a security device, save the existing configuration file to avoid losing any data:
    save config to tftp <ip_addr> <filename.cfg>
    For example:  save config to tftp 1.1.1.1 ssg5_date.cfg


    where:

    ip_addr is the IP address tftp server
    filename.cfg is the name of the Config File.

  3. For simplicity, copy the ScreenOS firmware file to the TFTP server root folder.

    Note:  Ensure that that the ScreenOS firmware has been extracted from the ZIP folder.

  4. Start the TFTP server, by double-clicking on the TFTP server application.

  5. Save the ScreenOS firmware to flash by entering the command:
    save soft from tftp [ip_addr] [filename] to flash

    Where:
    ip_addr is the IP address of your computer

    filename is the name of the ScreenOS firmware.
    The following output is seen when the file is downloaded:
    ssg20-> save software from tftp 172.16.10.10 SSG5SSG20.5.4.0r10.0 to flash
    Load software from TFTP 172.16.10.10 (file: SSG5SSG20.5.4.0r10.0).
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    tftp received octets = 12427198
    tftp success!

    TFTP Succeeded
    Save to flash. It may take a few minutes ...platform = 20, cpu = 1, version = 18
    update new flash image (04aa4020,12427198)
    platform = 20, cpu = 1, version = 18
    offset = 20, address = 8000000, size = 12427120
    date = 71e0f038, sw_version = 71e0f03c, cksum = 41d65212
    software major version is not same, accept this firmware? y/[n] y <==== Enter Y here
    Program flash (12427198 bytes) ...
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++done
    Done
    ssg20->

    Note: In case of a need to downgrade the device to firmware 5.2 or earlier, even if bootrom and bootloaded are upgraded, prior to proceeding to the next step, execute following command:
    ssg20-> exec downgrade

  6. When the upgrade or downgrade is complete, you must reset the security device.   Execute the reset command and enter y at the prompt to reset the device
    ssg20-> reset < Reboot the firewall using 'reset' command
    System reset, are you sure? y/[n] y < Enter Y here
    In reset ...

  7. Wait a few minutes, and then log in to the security device again.

  8. Use the get system command to verify the version of the security device ScreenOS firmware.

  9. Use the get config command to review the configuation. 

  10. (Not required) If the existing configuration is incorrect, which can happen on a downgrade, upload the configuration file that was saved in step 3, by executing the following command:

    save config from tftp <tftp ip> <filename> to flash
    Then execute the reset command and enter n at the prompt to save the config:
    ssg20-> reset < Reboot the firewall using 'reset' command
    ssg20> Configuration modified, save? [y]/n n   < Enter 'n'; otherwise you will overwrite the configuration you just copied to flash
    System reset, are you sure? y/[n] y < Enter Y here
    ssg20-> reset

    Wait for a few minutes and then logon to the security device again.

    Note:  If you inadvertantly entered y at the 'Configuration modified, save?' prompt, then just repeat step 10 and enter n.
Related Links: