Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Egor_Cherkasov
Contributor

Upgrading firmware on 1200R appliance

Hello CheckMates.

I'd like to share with you an issue and its solution.

So if you want to upgrade firmware on SMB appliances like 1100, 1200R etc.,which have embedded Gaia OS, you will probably face with a lot of problems.

There is a small guide (sk107592) or you can find official Check Point 1200R Appliance Administration Guide:

To perform a fresh/clean install of firmware on 600/700/1100/1400/1200R appliances via USB, the USB must use a FAT32 file system.

  1. Copy the desired firmware image onto the USB (not in subfolders and not with other firmware images present).

  2. Insert the USB into "USB1" on the front of the appliance.

  3. Wait for the "USB1" LED light to activate, indicating that the USB was detected.

  4. Reboot the appliance either via the WebUI, SSH command #reboot, or by power cycling the appliance.

    During the boot process, the appliance will detect the USB and firmware image. 
    The appliance will perform a reset to factory defaults, followed by a fresh install of the selected firmware version. 
    Note: You may need to use Ctrl-C to interrupt the bootloader and select the relevant option.

Note: This procedure erases the existing image and settings.

First of all you can not do manual upgrade via Web interface, because of operation failed error. 

Moreover USB is only one way to upgrade your device.

What is the desired firmware image? It is an appliance package, not the actual firmware!!!

Here is an example of what you have to download (img extension).

Then you copy this file on the USB (may be you'll need to extract and archive) and follow the instruction.

P.S.: If the USB is not read, try to rename your image file to fw1_ind_vR77_990172541_20_81.img view (this is what appliance wants to see).

19 Replies
Tom_Hinoue
Advisor
Advisor

Per an update on sk122276 - SMB appliances fail to upgrade firmware it looks like we need one more flavor to it.

To prevent the issue from occuring again in such scenario (due to bad blocks), we will need to burn the image with the following hotfix Smiley Happy

R77.20.81 jumbo hf: fw1_sx_dep_R77_990172557_20.img
R77.20.85 jumbo hf: fw1_sx_dep_R77_990172740_20.img

G_W_Albrecht
Legend Legend
Legend

This discussion is very, very confusing and looks like a copy/paste action using CP documents - nice to cite the well-known sk107592 and provide screenshots from CP website, but i see no description of any issue at all !

What i see is the assertion: So if you want to upgrade firmware on SMB appliances like 1100, 1200R etc.,which have embedded Gaia OS, you will probably face with a lot of problems.

But after nearly 8 years, out of my experiences i could not say that - in most use cases, firmware update using WebGUI is working very fine, and local access and USB install is not so easy (mostly small remote sites). So i would be rather interested in statistics about the reported installation failures and its causes.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Egor_Cherkasov
Contributor

The reason why I have created a discussion is to inform people, that they have to download  Appliance Package (green arrow) , not the firmware (red arrow). There is no information about it nuance on the Internet. And it's confusing, because logically if you want to upgrade firmware, you should install firmware, but here we can see that's not true.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I never had such an issue - i use the firmware version page, e.g. sk137212: R77.20.81 for Small and Medium Business Appliances to download firmeware install files for WebGUI or Smart Update. When using the Search page like you do, i find installable .img files here 

or here 

R77.20.80 Build 990172437 for 1200R Appliances

But the Check Point 1200R Appliance package R77.20.70 build 990171948 you give is the .tgz for SmartUpdate...

But please finally explain what the issue is that you like to discuss here !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Egor_Cherkasov
Contributor

I don't actually want to discuss the issue, I just want to share with that little problem with community. Maybe someone will face with the same problem.

Sorry if I jumbled the categories,where I can write this.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So please explain in detail what the problem is that you want to share with community, because i did not understand it yet - downloading and trying to install a wrong file for firmware update will not really be an issue, i suppose...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Egor_Cherkasov
Contributor

Okay

I was upgrading 1200R and certainly I was following the administration guide.

But there was a problem: appliance had not read the USB, when it rebooted.

I had tried a lot of firmware images, a lot of USBs and the decision was to download appliance package.

I mean, in the guide there is an information that you have to download Firmware to upgrade firmware, however it didn't worked. You should download appliance package to upgrade firmware.

That thing is confusing for me.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

If you have the 1200R locally managed, you can use the .img file for firmware update by using WebGUI or USB medium. If it is centrally managed, you either install the .tgz file using SmartUpdate or the .img file for firmware update by using WebGUI or USB medium.  Further possibilities are: Upgrade using boot menu will load a firmware fw1*.img or u-boot.bin boot-loader file from a BOOTP or tftp server. On R77.30 you can also use SmartProvisionig/LSM. If you have a SMB unit managed by SMP Portal you can control firmware updates from the portal.

--> But there was a problem: appliance had not read the USB, when it rebooted.

Yes, led (red) should light up before you can reboot unit from CLI. Otherwise, .img will not be found.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin

Hi all, I have to second Günther W. Albrecht‌'s opinion here.

From where I stand, the issue is cause by an attempt to download and apply a wrong file. The best practice is always to use R77.20.81 for Small and Medium Business Appliances  for firmware downloads.

Also, Egor Cherkasov, if you have not seen Günther W. Albrecht's great collection of SMB related SKs, here is the link: https://community.checkpoint.com/docs/DOC-2648-smb-devices-references-and-sk-s 

0 Kudos
Egor_Cherkasov
Contributor

I haven't seen this article, it's an amazing job, thank you for sharing.

0 Kudos
_Val_
Admin
Admin

Always happy to help and share. Follow Gunter, he is our SMB champion here

0 Kudos
LadislavNemecek
Participant

Based on my about 5y experiences I can agree with Günther W. Albrecht - Not remember any serious issues with WebGUI based firmware upgrade - by my opinion easiest way especially for central managed smb appliances spread all around the world with no local support...

USB deploy will restore to factory defaults, which require additional console config of interfaces... Manual upgrade preserve all settings

Worth to mention two important things by me

  •  do not rename original iso file placed in USB root dir!
  •  there are several different GaiaEmbeded firmware versions - of course update will fail if you apply 1400 iso to 1100
Vitaly_86
Explorer

When updating through the GUI, we get an error

error.PNG

An attempt to update via usb also fails

U-Boot 2013.07 (Development build, svnversion: u-boot:exported, exec:) (Build time: Oct 09 2017 - 16:34:33)
Check Point version: 990170228

************ Hit 'Ctrl + C' for boot menu ************

OCTEON CN7010-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 500 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x4e000000, size: 0x2000000
DRAM: 1 GiB
Clearing DRAM...... done
Octeon MMC/SD0: 1, Octeon MMC/SD1: 2
Flash: 0 Bytes
PCIe: Port 0 not in PCIe mode, skipping
PCIe: Port 1 not in PCIe mode, skipping
PCIe: Port 2 not in PCIe mode, skipping
PCI console init succeeded, 1 consoles, 1024 bytes each

PCIe: Port 0 not in PCIe mode, skipping
PCIe: Port 1 not in PCIe mode, skipping
PCIe: Port 2 not in PCIe mode, skipping
Type the command 'usb start' to scan for USB storage devices.

mmc1(part 0) is current device

MMC read: dev # 1, address # a80000, count 524288 ... 1024 blocks read: OK
Verifying CRC for settings area... Done

USB0:   Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
USB1:   Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found

Trying to load image (fw1*.img) from USB flash drive using FAT FS
reading fw1*.img
Found image file: fw1_ind_vr77_990172605_20_81.img
525074432 bytes read in 31182 ms (16.1 MiB/s)
get_loadaddr_free: No free memory found 525074432 >= 209715200
Could not get free memory addresses

Image CRC verification failed!

ERROR: Install/Update Image from USB failed.
Enabling network ports...
Net:   Enabling SMI interface mdio-octeon0
Enabling SMI interface mdio-octeon1
*******initialize 88E6350R**********
octeth0, octeth1, octrgmii0 [PRIME]
Done.
Press any key to continue...
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Strange filename - i have used fw1_ind_dep_R77_990172605_20.img sucessfully.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Newest Version is available from R77.20.81 for Small and Medium Business Appliances  - Effective Feb 4 20201: Build 990172611 for R77.20.81 image has been released for 1200R appliances with 1 fix: SMB-14401

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vitaly_86
Explorer

We've tried a bunch of img already. the result is always the same.
TAC has now proposed the following solution:
Since your using old firmware, you will have to follow the upgrade path from - SK120512

So according to your appliance, you'll first need to upgrade to R77.20.31 from SK111656

Can we try to upgrade the appliance from CLI?
Manual Firmware upgrade from CLI
• Copy the image to / storage directory (using WinSCP)
• Run (from Expert mode): upgrade_revert_image.sh / storage /% FILENAME% upgrade safe

TOTAL:
[Expert @ Gateway-ID-7F994B4A] # upgrade_revert_image.sh /storage/fw1_ind_dep_R77_990170952_20.gz upgrade safe
2021-May-21-10: 34: 38 - Running Connectivity Validations.
2021-May-21-10: 34: 38 - SIC Connection Error

Show upgrade-log:
2021-May-21-10: 35: 43: Error: Cannot import settings from the old image (2)
2021-May-21-10: 35: 43: Executing command: '/ bin / sync'
2021-May-21-10: 35: 43: Executing command: '/ bin / umount / mnt / inactive'
umount: cannot umount / mnt / inactive: Device or resource busy
2021-May-21-10: 35: 43: Executing command: '/opt/fw1/bin/cp_write_syslog.sh -p er r [System Operations] Failed to upgrade the appliance software version'
2021-May-21-10: 35: 43: Executing command: '/ bin / rm -rf / fwtmp / upgradeRevertInPro gress'
2021-May-21-10: 35: 43: Exiting with error code -1.

0 Kudos
PhoneBoy
Admin
Admin

What happens if you try to upgrade to R77.20.31 first as noted in the sk?

0 Kudos
Vitaly_86
Explorer

I tried to upgrade to R77.20.31. Above is just the log for this update.

0 Kudos
PhoneBoy
Admin
Admin

It's possible this will require an RMA to resolve.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events