Walls of Fire

scott sappenfieldThe title of this post sounds a bit more alarming than it is, but then again, upgrading the firmware on something called a firewall can be a bit scary.  At the very least, it’s not something you take that lightly.  If you mess with the gatekeeper and it goes south, you have the potential to block off everyone from the outside world and vice versa (see sophisticated, super complex diagram to the right) and you have to resort to other things like failover or “business continuity.”  Who wants to do that?  Not I.

Anyhow, I just did two SonicWALLs and it worked out just fine.

This was the topology.  Firewall A, the primary firewall was running the enhanced 5.6 SonicOS.  Firewall B, the backup, was running the same.  High availability was activated in this scenario.  That means, if A goes offline for any reason then B takes over.  Also, A was running with preempt mode enabled.  And that means, if B is currently active and A comes back online, then A will automatically take back ownership as the active firewall even if B was running just fine.

My mission was to take A and B from their current firmware version of 5.6 to 5.8, the latest generally available public release.  Here was the process.

Obtain the binary

Obtain the latest binary from the vendor.  That’s easy, SonicWALL customers can download it from a secure portal.  It’s available as a “.sig” file.  It’s normally in the 30+MB range, not big.

Validate the binary

Naturally, SonicWALL gives you the MD5 hash signature to compare your download against.  Here it was: 093f3dd2e248bb0e8a99441794902271.  If you need to calculate MD5, SHA1 or other hashes and you’re on Unix, no sweat, piece of cake.  If you’re on Windows, again, no sweat, piece of cake.  In fact, I went ahead and tested one straight from the big guy MicroSoft and it seemed to work just fine.  It would be a fun exercise to build one yourself in Ruby or something.  For you Windows users, here’s how you’d run it against the downloaded .sig file.

>fciv sw_nsa-3500__eng_xxxxxxx.sig

You could even throw the hash in a XML file and compare a bunch of files using this program…something like this with a -verify option (or something close):

<?xml version="1.0" encoding="utf-8"?>
    <FCIV>
	<FILE_ENTRY>
		<name>sw_nsa-3500__eng_5.8.1.8.sig</name>
		<MD5>093f3dd2e248bb0e8a99441794902271</MD5>
		<SHA1> </SHA1>
	</FILE_ENTRY>
    </FCIV>

Upgrade the appliance

Anyhow, here was the actual firewall part.  Login to the appliance, navigate to the Settings tab (SonicWALL has a pretty nice GUI).

1. Click Upload New Firmware, locate your .sig file, upload it and wait for it to finish.  You will get a message asking if it’s ok to upgrade both A and B since hardware availability is turned on.

2. Once that’s complete, click Boot next to your new firmware.  Of course, you want to boot with the new firmware you just uploaded with current settings, unless you want default factory settings in which case you can choose that option to boot.

B will update and reboot, followed by A.  During the time A updates and reboots, B will become primary and active.  Once A finishes, it will take over (remember preempt mode).  That’s it.  No interruption of business during the process.

Verify, verify, verify and also test, test, test

This is where you want to spend considerable time verifying all your security settings and other stuff are as they should be.

You’re done.  SonicWALL makes it pretty easy.

Advertisements
Previous Post
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: