技术文档

一、 技术主题

Juniper SSG-140-SB 的 update screenOS、install screenOS

二、 Update screenOS 步骤，
1， 先去 juniper 官网下载 new-imagekey（新的证书）、Boot loader 和 screenOS 最新最稳定的系统版本。
2， 导入这 3 个文件。（顺序是 new-imagekey→screenOS）
1 web 界面 Update（网线连接 e0/0 口）
进入 web 的 Configuration>Update>ScreenOS/Keys 选择 Image Signature Key
Update，然后浏览选择 new-imagekey，导入。导入 new-imagekey 成功后，再到
Configuration>Update>ScreenOS/Keys 里面选择 Upgrading ScreenOS，浏览你下载的
screenOS 系统，再点击 apply 导入，成功后机器会重启，重启后在主页查看系统版本，确定是否升级成功。
2 CLI update
先准备好 tftp 软件，连接机器的 console 口，和 e0/0 口，将 3 个文件放入 tftp 的目录里面，进入设备，输入
save image-key tftp new-imagekey.cer
然后查看是否有 new-imagekey，命令 exec pki test skey，然后 reset 重启设备，
在系统出现到很多 Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
按任意键，进入
Serial Number [0064042006003887]: READ ONLY
HW Version Number [1010]: READ ONLY 3
Self MAC Address [0014-f695-75e0]: READ ONLY
Boot File Name [ssg140.6.2.0r18.0]: Loadssg140v325.d //输入你的 boot loader 文件名
Self IP Address [192.168.1.1]: 192.168.1.1 //设置防火墙 trust 口的 ip 地址
TFTP IP Address [192.168.1.254]: 192.168.1.222 //输入你 pc 机的 ip 地址，也就是你 tftp 的地址
然后就会加载 Loadssg140v325.d，成功的话，会出现 Loaded Successfully！
重启设备，能看见设备的 boot loader 版本，
最后再 Update screenOS
出现 Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
按任意键，进入
Serial Number [0064042006003887]: READ ONLY
HW Version Number [1010]: READ ONLY 3
Self MAC Address [0014-f695-75e0]: READ ONLY
Boot File Name [ssg140.6.2.0r18.0]: ssg140.6.3.0r17.0 //输入你你 ScreenOS 文件名
Self IP Address [192.168.1.1]: 回车
TFTP IP Address [192.168.1.222]:回车
加载结束后出现 Loaded Successfully！成功。
在设备里面去查看系统版本，和 boot loader 版本，命令：get system

三，在此案例中遇见的麻烦
 1， 用 3 种方法 Update 遇见的问题。
1 在 web 界面上面遇见的问题，上来我们就去 Configuration>Update>ScreenOS/Keys，
选择了 Upgrading ScreenOS，出现报错，

重复了几次，还是出现，重启机器，断电，再启动，也没有解决。
我就怀疑是系统版本的问题，以为不能跨级更新，后面我们再去官网下载了与设备同级版本的最高，和上级最低，尝试无果，我们就开就用 cli 的
方式来 Update。
2， cli 出现的问题。
1 先是用设备为启动的时候进入 boot load
直接导入系统，结果查看版本未更新。
⑵ 再是用设备启动后进入设备里面，
用 save software from tftp 192.168.1.222 ssg140.6.3.0r17.0 to flash
加载到最后一步的时候出现
Invalid image !!! and Bogus image - not authenticated!!!
然后才知道是认证的问题，
四、 技术的延伸
经过这次 SSG-140-SB 的 Update 中，明白了在 14 年 8 月 18 日后所产的机器都需要更新 boot loader 和新
的证书，不更新证书，是安装不上 ScreenOS 的。
以此案例得知，juniper SSG 系列所有的 Update，和非硬件设备的故障，都可以解决了，比如说，指示灯常亮，进不了设
备的系统。可以先导入证书，然后再重新灌入新版本的系统，只要不是硬件问题，都可以解决。

How To: Upgrade Bootloader on SSG-5, SSG-20, and SSG-140

[KB10949] Show KB Properties

SUMMARY:
How To: Upgrade via Boot/Diag mode
PROBLEM OR GOAL:
Environment:
 Upgrade using the Console
 Upgrade on boot up
 Firewall has a direct connection to a TFTP server
 Bootloader to be upgraded to is on the TFTP server
 Bootloader upgrade is highly recommended when upgrading to ScreenOS 6.1.0
 Symptoms & Errors:
 Upgrade via TFTP
SOLUTION:
Before upgrading the bootloader on a Firewall device, ensure that the following has been
established:
 A console cable has been connected to a COM serial port on PC and to the console port on the Firewall
device. For assistance, consult: Accessing the Command Line Interface via the Console Port on Your
NetScreen, SSG, or ISG Firewall device

 A Terminal Program (HyperTerminal or equivalent) is present

 A TFTP server is available ((on the local segment to the firewall)
 The bootloader image is stored on the TFTP server

To upgrade the bootloader image on the SSG device via Boot/Diag

mode:
1. Connect the console from your PC to the firewall device

2. Start the Terminal Program and reset or power up the firewall device.

3. Interrupt the boot-up sequence when you see ‘Hit any ket to run loader’ by pressing any key.
Example:
Juniper Networks SSG5-ISDN Boot Loader Version 1.2.4 (Checksum:
9AECEADD)
Copyright (c) 1997-2006 Juniper Networks, Inc.

Total physical memory: 256MB

Test - Pass
Initialization - Done

Hit any key to run loader

4. The Boot / Diag Menu should be displayed. Enter the following information when prompted:

o Self IP address - enter an IP address that is on the same subnet as the TFTP server
o TFTP IP address -enter the IP address of the TFTP server
o Boot File name - enter the file name of the bootloader to be upgraded to.
Example:
Serial Number [0169012006000005]: READ ONLY
HW Version Number [1010]: READ ONLY
Self MAC Address [0012-1ebe-51c0]: READ ONLY
Boot File Name [Loadssg5ssg20v124.d]: Loadssg5ssg20v132.d
Self IP Address [192.168.10.1]:
TFTP IP Address [192.168.10.12]:
5. After entering the information, the system displays information similar to the following:

Loading file "Loadssg5ssg20v132.d"...

>
rtatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat
atatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatatat

These are an indication the software load is in progress. The messages will go on for a few pages.

6. After receiving the Loaded successful message, respond N to the message Save to on-board flash.
When prompted to run downloaded system image, answer Y.
Loaded successfully! (size = 407,770 bytes)
Ignore image authentication!
Save to on-board flash disk? (y/[n]/m) No!
Run downloaded system image? ([y]/n) Yes!
If you inadvertently responded Yes to Save to on-board flash, then continue onto step 7, but make sure
you perform the note in step 8.

7. The boot loader update utility will now run. Don't power off or interrupt the process. It may render the
system non-bootable.
*****************************************************************
*
* *
* SSG5/SSG20 BOOT LOADER UPDATE UTILITY *
*
=========================================
===== *
* (c)1997-2006 Juniper Networks, Inc. *
* All Rights Reserved *
* *
* ---------------------------------------------- *
* Boot Loader Version: 1.3.2 *
* Date : 05/26/2006 *
* *
* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! *
* ! ! *
* ! Please don't power off during update. ! *
* ! Otherwise, the system can not boot again. ! *
* ! ! *
 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! *
* *
* *** DON'T POWER OFF DURING BOOT LOADER UPDATE
*** *
* *** DON'T POWER OFF DURING BOOT LOADER UPDATE
*** *
* *** DON'T POWER OFF DURING BOOT LOADER UPDATE
*** *
* *
******************************************************************

Check on-board Boot Loader... Update needed!

Are you sure you want to update Boot Loader? (y/n)

Read product information of on-board boot flash device:

Manufacturer ID = 1f
Device ID = 13
Additional Device ID = 10

Boot flash device is AT49LV040B

Erase on-board boot flash device.......... Done

Update Boot
Loader........................................................................Done

Verify Boot Loader... Done

Boot Loader has been updated successfully!

Please hit any key to reboot the system...

8. Hit any key to reboot the system. It will now boot with the new bootloader, and boot the ScreenOS
image. If you get the ScreenOS login prompt, you may now upgrade the ScreenOS to 6.1.0.

If you do not get the ScreenOS login prompt, most likely you answered Y when prompted to Save
the bootloaderto on-board flash in step 6. Therefore, the firewall rebooted without a ScreenOS image to
boot to. The boot/diag mode will appear. If this happens, upgrade to ScreenOS 6.1.0 via the boot/diag
mode: KB5519 - How To: Upgrade ScreenOS Software via Boot/Diag mode
How to Update the New Image Authentication Key and Upgrade
Boot Loader/ScreenOS Firmware

[TSB16495] Show KB Properties

ALERT TYPE:
PSN - Product Support Notification
PRODUCT AFFECTED:
ISG Series, NetScreen Series, and SSG Series
ALERT DESCRIPTION:
As of August 18, 2014, all Boot Loaders and ScreenOS Firmwares downloaded from the Juniper
Networks Software Download Site are signed with the New Image Authentication Certificate. If you have
any questions on why the Image Authentication Certificate is changed, please refer to TSB16496.

ScreenOS includes the ability to determine the authenticity of binary images provided by Juniper
Networks. An image (also known as “firmware”) authentication signature has been incorporated into
each ScreenOS build since version 2.6.1r1. When the ScreenOS authentication certificate (also known
as “image key” or “imagekey.cer”) has been loaded beforehand onto a Juniper Networks firewall or VPN
device (ISG Series, NetScreen Series, and SSG Series), each time the device is rebooted, ScreenOS
will validate the authenticity of the image saved in flash. If the validation fails, the device will not load the
image. The same logic is applied to ScreenOS firmware upgrade/downgrade. If the image cannot be
validated by the installed image key, the upgrade/downgrade will fail.

Validating the authenticity of an image enhances security and stability. When this feature is enabled,
ScreenOS rejects illegitimate or damaged images before they will be booted onto the device, forcing the
system administrator to save an authentic software image in the device before it will boot, and thereby
protecting the device against unsafe and potentially unstable software.

SOLUTION:

Validating the Image Authentication Certificate

It is important to ensure the integrity of the image key itself before you load it on the Juniper Networks
security device. You can confirm the image key’s integrity by comparing the checksum of the
imagekey.cer certificate file to the value below. A tool such as md5sum, sha1sum, and sha256sum for
Unix/Linux can be used.

New Image Key (download)

Note: Image is in .zip compressed format and requires decompression for use and image integrity check
$ md5sum imagekey.cer
99def4b80b75ed65aad52a5fc3ed1131 imagekey.cer

$ sha1sum imagekey.cer
06c3c15b88de548b18814d4389d18a20f65a5845
imagekey.cer

$ sha256sum imagekey.cer
02b107f0679bc5d5aa0ab49be52043bb31f2a010a980573c53dc
3fc815e1d7f3 imagekey.cer

Old Image Key (download)

Note: Image is in .zip compressed format and requires decompression for use and image integrity check
$ md5sum imagekey.cer
ccfcd027e20c9cc38b5d8dac17c7199f imagekey.cer

$ sha1sum imagekey.cer
2af0d97abbb58821650445cd517050fd0cfa2684 imagekey.cer

$ sha256sum imagekey.cer
bab2f722cbba13a73d9af4c17af9c34d62ac71b4c9e8bbb9bac5
df1fdceb0261 imagekey.cer

Validating the Boot Loader and the ScreenOS Firmware

There are no code or contents changes on the newly released boot loaders and ScreenOS firmwares,
these files are signed with the new image key only. Therefore, the version numbers are same as before.

In order to distinguish whether the device is running with old ScreenOS firmware that is signed with the
old image key, you can check the non-zero values of the image key using hidden CLI exec pki test
skey command. Refer to 2. Checking the Installed Image Key. Also you can refer to KB29296 -
ScreenOS and Boot Loader Checksum Values Signed by Old and New Image Key.

Finally when you feel confident about the integrity of the new image key and know that the currently
running ScreenOS firmware is signed by the old image key, you can follow the below steps to install the
new image key, and boot loader/ScreenOS firmware that are signed with the new image key.

NOTE: If you manage ScreenOS devices using NSM, please refer to KB29456, which includes an
application note -Upgrading ScreenOS through NSM (supplement of TSB16495).
1. Saving the Configuration

Before you proceed the following steps, please make sure to backup the configuration, you can do it
through either the WebUI and the CLI.

On the WebUI, navigate to Configuration > Update > Config File > click "Save to File"

On the CLI, type save config to tftp <IP address of TFTP server> <config filename>

For example,
SSG550-> save config to tftp 172.22.152.251
ssg550_config_backup
Read the current config.
Save configurations (3064 bytes) to ssg550_config_backup on
TFTP server 172.22.152.251.
!!!!!!!!!!!!!!
tftp transferred records = 6
tftp success!

TFTP Succeeded

2. Checking the Installed Image Key

If an image key is already installed, you will see output similar to the below (non-zero values). If the
output shows all zero (0), then there is no installed image key.

NOTE: The device cannot store more than one image key. When you install the new image key, it
overwrites the previous key. The installation status of the image key can be checked through hidden
CLI exec pki test skey command only.

SSG550-> exec pki test skey

(snip)

KEY1 N/A len =432

308201ac02010002818100fd7f53811d75122952df4a9c2eece
4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b
magic2=0
 KEY2 N/A len =432

308201ac02010002818100fd7f53811d75122952df4a9c2eece
4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b
magic2=0

KEY3 N/A len =432

308201ac02010002818100fd7f53811d75122952df4a9c2eece
4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b
magic2=0

NOTE: The above non-zero values are indicating the old image key (308201ac ....). If you wish to
update the image key to the new key, then go to next step 3. Updating the Image Key. The new image
key’s values are starting with (308201ad....) from left to right direction. If the new image key is installed
already, then go to step 4. Upgrading ScreenOS.

The following example shows that an image key is not installed (all zero values).

SSG550-> exec pki test skey

(snip)

KEY1 N/A len =0

00000000000000000000000000000000000000000000000000
00000000000000000000000000000000 magic1 = f7e9294b
magic2=dead1234

KEY2 N/A len =0

00000000000000000000000000000000000000000000000000
00000000000000000000000000000000 magic1 = f7e9294b
magic2=dead1234

KEY3 N/A len =0

00000000000000000000000000000000000000000000000000
00000000000000000000000000000000 magic1 = f7e9294b
magic2=dead1234
 NOTE: If no image key is installed and you do not want to authenticate the boot loader (for ISG Series
and NetScreen Series only) and ScreenOS in future, skip Step 3. Updating the Image Key.

3. Updating the Image Key

If a WebUI access or a TFTP server is available, you can install the new image key through the WebUI
or the CLI.

On the WebUI :
1. Download the new image key (imagekey.zip)
o New Image Key (download)
2. Save it to accessible local storage
3. Decompress downloaded .zip file
4. Login to the device.
5. Navigate to ''Configuration > Update > ScreenOS/Keys'' using the navigation tree on the left side of
the screen
6. Select the ''Image Signature Key Update'' radio button and click Browse
7. Navigate to the location where the saved decompressed imagekey.cer and click Open
8. Click Apply

On the CLI :
1. Download the new image key (imagekey.zip)
o New Image Key (download)
2. Decompress downloaded .zip file
3. Save decompressed imagekey.cer to TFTP server
4. Make a console, Telnet, or SSH connection to the Juniper Networks security device
5. Login to the device
6. Type save image-key tftp (IP address of tftp server) imagekey.cer command
For example,
SSG550-> save image-key tftp 172.22.152.251
new/imagekey.cer
Load file from TFTP 172.22.152.251 (file: new/imagekey.cer).
!!!!!
tftp received octets = 863
tftp success!
Done

TFTP Succeeded
If the image key is installed successfully, you will see output similar to the below (non-zero values). If
the output shows all zero (0), then the image key is not installed.

SSG550-> exec pki test skey

(snip)

KEY1 N/A len =433

308201ad02010002818100fd7f53811d75122952df4a9c2eece
4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b
magic2=0

KEY2 N/A len =433

308201ad02010002818100fd7f53811d75122952df4a9c2eece
4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b
magic2=0

KEY3 N/A len =433

308201ad02010002818100fd7f53811d75122952df4a9c2eece
4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b
magic2=0

If only a CLI access is available without TFTP server, you cannot install the new image key, then delete
the installed old image key using CLI delete crypto auth-key command and go to next step 4.
Upgrading ScreenOS.
The following example shows that no image key is available after deleting the image key.

SSG550-> delete crypto auth-key

SSG550-> exec pki test skey

(snip)

KEY1 N/A len =0

00000000000000000000000000000000000000000000000000
 00000000000000000000000000000000 magic1 = f7e9294b
magic2=0

KEY2 N/A len =0

00000000000000000000000000000000000000000000000000
00000000000000000000000000000000 magic1 = f7e9294b
magic2=0

KEY3 N/A len =0

00000000000000000000000000000000000000000000000000
00000000000000000000000000000000 magic1 = f7e9294b
magic2=0

NOTE: Please do not execute CLI delete crypto file command. It will delete all crypto files in the device
that might be used for other services.

NOTE: You cannot delete image key through WebUI.

4. Upgrading ScreenOS

On ISG1000/2000, NS5200/NS5400 (boot loader upgrade is required) :

In general you must have a console connection and a TFTP server that can be reachable through the
‘mgt’ interface because the device will prompt you to install a boot loader if it cannot authenticate the
installed boot loader using the new image key. While the device boots up, it checks the integrity of
installed boot loader and ScreenOS firmware. However, the special ScreenOS firmwares (6.3.0r17-
dht1.0 and 6.2.0r18-crq1.0) includes a new CLI command to update the bootloader on the CLI without a
console connection via TFTP server.

For more information of the special ScreenOS firmware, please refer to KB29456 - How to Upgrade
Bootloader (OS Loader) Without a Console Connection on ISG1000/2000 and NS5200/5400.

NOTE: If the old image key is deleted using CLI delete crypto auth-key command, the device skips
integrity check of the boot loader and ScreenOS firmware while boots up. You will see Ignore image
authentication! message on the console while the device boots up.
On the CLI :

1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
2. Download the new bootloader signed with new image key
 Netscreen 5200/5400 :
o Load5000v104.d
o MD5
o Sha1

 ISG 2000 :
o Load2000v117.d
o MD5
o Sha1

 ISG 1000 :
o Load1000v103.d
o MD5
o Sha1
3. Save files to TFTP server
4. Login to the device through the console port
5. Type save software from tftp (IP address of TFTP server) (ScreenOS image filename) to
flash command

For example,
ns5200-> save software from tftp 172.22.152.251
new/ns5000.6.3.0-M2A.r17.0 to flash
Load software from TFTP 172.22.152.251 (file:
new/ns5000.6.3.0-M2A.r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)
tftp received octets = 13541072
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 15, cpu
= 16, version = 18
update new flash image (04243150,13541072)
platform = 15, cpu = 16, version = 18
offset = 20, address = 4000000, size = 13540994
date = 71c0efb8, sw_version = 71c0efbc, cksum = c491f61c
 Image authenticated!
Program flash (13541072 bytes) ...
++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++done
Done

5. Reboot the device, type reset command and install the boot loader that is singed with the new image
key

NOTE: While the device boots up, it will generate the following messages on the console to guide you to
install the boot loader that is signed by the new image key.

OS Loader File Name []: (type boot loader file name)

Self IP Address []: (TFTP client (device) IP address)
TFTP IP Address []: (TFTP server IP address)

For example,
ns5200-> reset
System reset, are you sure? y/[n] y
In reset ...

Juniper Networks NS-5000-II BootROM Version 1.0.0

(Checksum: FE499CCD)
Copyright (c) 1998-2004 Juniper Networks, Inc.

Total physical memory: 2048MB

Test - Pass
Initialization................ Done

Hit key 'X' and 'A' sequentially to update OS Loader....

Loading OS Loader from on-board flash memory... ++++

Done!

********Invalid DSA signature <- The installed boot loader (OS

Loader) cannot be authenticated using the new image key

********Bogus image - not authenticated

OS Loader File Name [new/ns5000.6.3.0-M2A.r17.0]:
new/Load5000v104.d <- Boot loader file signed with the new
image key
Self IP Address [172.19.50.252]: 172.22.152.49
TFTP IP Address [172.19.50.129]: 172.22.152.251

Save loader config (56 bytes)... Done

Loading file "new/Load5000v104.d"...

(snip)
Loaded successfully! (size = 447,576 bytes)

Image authenticated! <- Boot loader is authenticated using

the new image key

Program OS Loader to on-board flash memory... ++++

Done!

Start loading...
....................
Done.

Juniper Networks NS-5000-II OS Loader Version 1.0.4

Initialize FBTL 0.. Done

Hit any key to load new firmware

Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware

Loading default system image from on-board flash disk...

++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++
Done! (size = 13,631,488 bytes)

Image authenticated! <- ScreenOS firmware is authenticated

using the new image key

Start loading...
(snip)
Done.
 Configuring Imperial FPGA... Done

Juniper Networks, Inc

NS-5000 System Software
Copyright, 1997-2008

Version 6.3.0r17.0
(snip)

NOTE: After the device boots up successfully, you can check the version of the installed boot loader
through the CLI get system command, look for the value of “OS Loader Version”.

ns5200-> get system

Product Name: NetScreen-5200-II
Serial Number: 0040012001000011, Control Number:
00000000
Hardware Version: 3010(0)-(04), FPGA checksum: 00000000,
VLAN1 IP (0.0.0.0)
Software Version: 6.3.0r17.0, Type: Firewall+VPN
BOOT ROM Version: 1.0.0
OS Loader Version: 1.0.4

(snip)

On SSG 20/140/320M/350M/520/520M/550/550M :

It is not required to update the current boot loader because the integrity check of the boot loader is only
done during the installation of a boot loader. During boot-up of the device there is no integrity check
done for the boot loader using the image key. Therefore the existing boot loader on the SSG device will
keep working correctly after updating the image key on the device.

NOTE: If the old image key is deleted using CLI delete crypto auth-key command, the device skips the
integrity check of the ScreenOS firmware while the device boots up. You will see the Ignore image
authentication! message on the console while the device boots up.
 On the WebUI :
1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
2. Save it to accessible local storage.
3. Login to the device.
4. Navigate to ''Configuration > Update > ScreenOS/Keys'' using the navigation tree on the left side of
the screen.
5. Select the ''Firmware Update (ScreenOS)'' radio button and click Browse.
6. Navigate to the location where you saved the ScreenOS image and click Open.
7. Click Apply.

NOTE: If the device has the old image key and you try to install a ScreenOS firmware image that is
signed by the new image key, the installation process will stop because the ScreenOS firmware cannot
be authenticated using the old image key. You will see a pop-up window displaying “Firmware update
failed”. In this case, you need to either install the new image key prior to installing the new ScreenOS
firmware or delete the image key (refer to the above step 3. Updating the Image Key).

On the CLI :

1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
2. Save it to accessible local storage.
3. Login to the device
4. Type save software from tftp (IP address of TFTP server) (ScreenOS image filename) to
flash command
SSG550-> save software from tftp 172.22.152.251
new/ssg500.6.3.0r17.0 to flash
Load software from TFTP 172.22.152.251 (file:
new/ssg500.6.3.0r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)

tftp received octets = 11627247

tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu
= 11, version = 2
update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
 Program flash (11627247 bytes) ...

(snip)

5. After successful ScreenOS firmware installation, type reset command to reboot the device

NOTE: If the ScreenOS firmware is not successfully authenticated by the new image key during
installation, the error messages “Invalid image!!!” and “Bogus image - not authenticated!!!” will be
displayed. When the upgrade went successfully, on the next reboot the device will show ''Image
authenticated!''on the console.

SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...

(snip)

ScreenOS Saipanloader V1.0.7

Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloadermounting FAT16 partition

file size = 112
size = 112, sizeof(nvram_rec) = 112

Hit any key to load new firmware

Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware/$nsboot$.bin
file size = 11627247

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700,

hdr->cpu_type = 11

Image authenticated!

(snip)

NOTE: If the device has the old image key and you try to install ScreenOS firmware that is signed with
the new image key, the installation process will stop because the ScreenOS firmware cannot be
authenticated using the old image key. You will see output similar to the below. In this case, you need to
either install the new image key prior to installing the ScreenOS firmware or delete the image key (refer
to the above step 3. Updating the Image Key).

SSG550-> save software from tftp 172.22.152.251

new/ssg500.6.3.0r17.0 to flash
Load software from TFTP 172.22.152.251 (file:
new/ssg500.6.3.0r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)
tftp received octets = 11627247
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu
= 11, version = 2
update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
********Invalid image!!! ********Bogus image - not
authenticated!!!

(snip)

NOTE: If you would like to update the boot loader that is signed with the new image key on SSG Series,
you must have a console connection and a TFTP server that can be reachable through the pre-assigned
interface(s) in the boot loader mode (mostly ‘eth0/0’ interface) and manually interrupt the boot sequence
by holding ‘Shift key’ and hit 'X' and ‘A’ sequentially when the “Hit 'X' and 'A' to upgrade bootloader”
message is shown on the console.

After installing the new image key, type CLI reset command to reboot the device. Then keep the ‘Shift
key’ down and hit 'X' and ‘A’ sequentially.
SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...

(snip)

ScreenOS Saipanloader V1.0.7

Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloader <- Hold ‘Shift key’ and
hit ‘X’ and ‘A’ in sequence
Loader File Name:new/Loadssg500v107.d <- Bootloader
filename signed with the new image key
Self IP Address :172.22.152.35 <- TFTP client IP address
TFTP IP Address :172.22.152.251 <- TFTP server IP
address
IP MASK :255.255.255.0
Gateway IP Address :172.22.152.1

Saipan motherboard proto 3 or later detected

Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...

Initiating hardware and waiting for link up ...

self_ip = 172.22.152.35, tftp_server_ip = 172.22.152.251
ip = 172.22.152.35 mask = 255.255.255.0 gw = 172.22.152.1
svr = 172.22.152.251
network_ready = 1
new/Loadssg500v107.d

121078 bytes downloaded from tftp server

old img size = 121032, new img size = 121032, load =
121078, sig = 46
S
Image authenticated! <- Bootloader is authenticated using
the new image key
mounting FAT12 partition
file /boot2 size was 121079, new size is 121078
getting sector information
boot1 size = 512
boot2 size = 512
boot1_sector = 807, boot2_sector = 1051
offset = 512
[1052][1053][1054][1055][1056][1057][1058][1059][1060]
[1061][1062][1063][1064][1065][1066][1067][1068][1069]
[1070][1071][1072][1073][1074][1075][1076][1077][1078]
[1079][1080][1081][1082][1083][1084][1085][1086][1087]
[1088][1089][1090][1091][1092][1093][1094][1095][1096]
[1097][1098][1099][1100][1101][1102][1103][1104][1105]
[1106][1107][1108][1109][1110][1111][1112][1113][1114]
[1115][1116][1117][1118][1119][1120][1121][1122][1123]
[1124][1125][1126][1127][1128][1129][1130][1131][1132]
[1133][1134][1135][1136][1137][1138][1139][1140][1141]
[1142][1143][1144][1145][1146][1147][1148][1149][1150]
[1151][1152][1153][1154][1155][1156][1157][1158][1159]
[1160][1161][1162][1163][1164][1165][1166][1167][1168]
[1169][1170][1171][1172][1173][1174][1175][1176][1177]
[1178][1179][1180][1181][1182][1183][1184][1185][1186]
[1187][1188][1189][1190][1191][1192][1193][1194][1195]
[1196][1197][1198][1199][1200][1201][1202][1203][1204]
[1205][1206][1207][1208][1209][1210][1211][1212][1213]
[1214][1215][1216][1217][1218][1219][1220][1221][1222]
[1223][1224][1225][1226][1227][1228][1229][1230][1231]
[1232][1233][1234][1235][1236][1237][1238][1239][1240]
[1241][1242][1243][1244][1245][1246][1247][1248][1249]
[1250][1251][1252][1253][1254][1255][1256][1257][1258]
[1259][1260][1261][1262][1263][1264][1265][1266][1267]
[1268][1269][1270][1271][1272][1273][1274][1275][1276]
[1277][1278][1279][1280][1281][1282][1283][1284][1285]
[1286][1287][1288][1289][1290]
write boot2's start sector back at sector 1051
write mbr back at sector 0
mounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112
system rebooting... <- After successful bootloader installation,
the device will automatically try to reboot

(snip)

********Invalid DSA signature <- But if the previously installed

ScreenOS firmware is signed with the old image key, the new
image key cannot authenticate the ScreenOS firmware, then
the device prompt to you install a ScreenOS firmware signed
with the new image key

********Bogus image - not authenticated

mounting FAT16 partition
file size = 112
Serial Number []: READ ONLYc) = 112
BOM Version Number []: READ ONLY
Self MAC Address [0000-0000-0000]: READ ONLYip = 1.1.1.1
svr = 1.1.1.2
self_ip_buf = 1.1.1.1, tftp_ip_buf = 1.1.1.2

Firmware File Name [old/ssg500.6.3.0r17.0]:

new/ssg500.6.3.0r17.0 <- Type the ScreenOS firmware
filename signed with the new image key
Self IP Address [1.1.1.1]: 172.22.152.35 <- TFTP client IP
address
TFTP IP Address [1.1.1.2]: 172.22.152.251 <- TFTP server IP
address
IP MASK [255.255.255.0]:
Gateway IP Address [172.22.152.251]:

Save loader config (112 bytes)... Done

Saipan motherboard proto 3 or later detected

Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...

self_ip = 172.22.152.35, tftp_server_ip = 172.22.152.251
ip = 172.22.152.35 mask = 255.255.255.0 gw =
172.22.152.251 svr = 172.22.152.251
network_ready = 1
new/ssg500.6.3.0r17.0
offset = 0, maxposition = 11627247
11627247 bytes downloaded from tftp server

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700,

hdr->cpu_type = 11

Image authenticated! ← ScreenOS is authenticated

Save to on-board flash disk? (y/[n]/m) No <- You should press

‘n’ key
Run downloaded system image? ([y]/n) Yes <- You should
press ‘y’ key

(snip)

System change state to Active(1)

 login:

For additional information of image key, boot loader, and ScreenOS installation, please refer to the
following References.

References

 ScreenOS Upgrade Guide

 ScreenOS Download
 Juniper Networks Certifications
 Online Help (Software and License Keys Update)
 KB29296 - ScreenOS and Boot Loader Checksum Values Signed by Old and New Image Key
 KB29456 - How to Upgrade Bootloader (OS Loader) Without a Console Connection on ISG1000/2000
and NS5200/5400 [ including "Upgrading ScreenOS through NSM (supplement of TSB16495)" ]
 KB8729 - Where can I download the Juniper Networks DSA Public Key (imagekey.cer) file (old image
key), and how do I load/install the imagekey.cer file?
 KB19818 - Recommended Bootloader Version for ISG 1000 and ISG 2000
 KB9446 - How To Determine Version of Bootloader on ISG and NS-5000 devices
 KB3679 - Loading the OS boot loader on ISG1000/2000 and NS5200/5400
 KB10949 - Upgrade Bootloader on SSG-5, SSG-20, and SSG-140
 KB10976 - Upgrade Bootloader on firewall device (SSG Series)
 KB5519 - Upgrade ScreenOS Software via Boot/Diag mode
 KB11097 - Unable to upgrade bootloader on SSG-550/550M
 KB13797 - Can not upgrade software via bootloader method for SSG500 and SSG300 series
 KB23407 - Error when upgrading SSG140 to bootloader v.3.2.5 "On-board NAND flash not supported"
 KB11235 - The firewall cannot upgrade the boot loader image with ### invalid system image ###
 KB14136 - How to save and use multiple ScreenOS firmwares on firewall flash
 KB14321 - Unable to TFTP > 32 MB Data
 KB19550 - Devices that support the 'save boot' command
 KB14151 - Can the ScreenOS boot loader be downgraded
 KB11805 - How does SSG-140's multiboot feature work
 TSB14184 - Possible Flash Corruption Issue on SSG-520M and SSG-550M
IMPLEMENTATION:

RELATED LINKS: