0

我的帖子

个人中心

设置

  发新话题
juniper SSG 520M更新imagekey后,无法进入系统,提示要用TFTP恢复,但按步骤试过好几个OS文件都无法进入系统,如下图:

1.png (35.77 KB)

2017-12-18 16:40

1.png

2.png (49.1 KB)

2017-12-18 16:40

2.png




本帖最后由 小侠唐在飞 于 2017-12-29 11:43 编辑
@小侠唐在飞  大侠给点意见呢~



51CTO论坛有移动端啦!扫码下载体验就送月会员哦!
在14年8月18日后所产的机器都需要更新boot loader和新的证书,不更新证书,是安装不上ScreenOS的。
juniper SSG系列所有的Update,和非硬件设备的故障,都可以解决了,比如说,指示灯常亮,进不了设备的系统。可以先导入证书,然后再重新灌入新版本的系统,只要不是硬件问题,都可以解决

1、如果系统挂了,你原来是哪个版本?这很重要。
重点在证书上!!
如果证书没升级,或出问题了。只能用旧版本来先恢复系统。。
再升级


2、证书\loader\固件三个对应的。。
旧证书,新版本是安装不上的哟!!!


先搞个6.1以下的版本吧。试一下

再升级至6.3



【大侠唐在飞出品网络教学视频课程 】
天下风云出我辈, 一入江湖岁月催。当年的“小侠唐在飞” 如今变成了“大侠唐在飞”。♫金杯银杯,不如网友的口碑;金奖银奖,不如网友的褒奖;熊掌鸭掌,不如网友的鼓掌~   
☺欢迎加入“唐志强技术教学交流群”,群号:67182271。   ♥【51CTO最受欢迎讲师投票开启了。找到--大侠唐在飞,投下一票吧。每天可投一次

How to Update theNew Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware


  

                                                                         [TSB16495]  Show KB Properties

  

[hr]

ALERT TYPE:

PSN - Product SupportNotification

PRODUCT AFFECTED:

ISG Series,NetScreen Series, and SSG Series

ALERT DESCRIPTION:

As of August 18,2014, all Boot Loaders and ScreenOS Firmwares downloaded from the JuniperNetworks Software Download Site are signed with the New ImageAuthentication Certificate. If you have any questions on why the ImageAuthentication Certificate is changed, please refer to TSB16496.


ScreenOS includes the ability to determine the authenticity of binary imagesprovided by Juniper Networks. An image (also known as “firmware”)authentication signature has been incorporated into each ScreenOS build sinceversion 2.6.1r1. When the ScreenOS authentication certificate (also known as“image key” or “imagekey.cer”) has been loaded beforehand onto a JuniperNetworks firewall or VPN device (ISG Series, NetScreen Series, and SSG Series),each time the device is rebooted, ScreenOS will validate the authenticity ofthe image saved in flash. If the validation fails, the device will not load theimage. The same logic is applied to ScreenOS firmware upgrade/downgrade. If theimage cannot be validated by the installed image key, the upgrade/downgradewill fail.

Validating the authenticity of an image enhances security and stability. Whenthis feature is enabled, ScreenOS rejects illegitimate or damaged images beforethey will be booted onto the device, forcing the system administrator to savean authentic software image in the device before it will boot, and therebyprotecting the device against unsafe and potentially unstable software.


SOLUTION:

Validating theImage Authentication Certificate


It is important to ensure the integrity of the image key itself before you loadit on the Juniper Networks security device. You can confirm the image key’sintegrity by comparing the checksum of the imagekey.cer certificate file to thevalue below. A tool such as md5sum, sha1sum, and sha256sum forUnix/Linux can be used.

New Image Key (download)

Note: Image isin .zip compressed format and requires decompression for use and imageintegrity check

$ md5sumimagekey.cer

99def4b80b75ed65aad52a5fc3ed1131  imagekey.cer


$ sha1sumimagekey.cer

06c3c15b88de548b18814d4389d18a20f65a5845  imagekey.cer


$ sha256sumimagekey.cer

02b107f0679bc5d5aa0ab49be52043bb31f2a010a980573c53dc3fc815e1d7f3  imagekey.cer


Old Image Key (
download)

Note: Image isin .zip compressed format and requires decompression for use and imageintegrity check

$ md5sumimagekey.cer

ccfcd027e20c9cc38b5d8dac17c7199f  imagekey.cer


$ sha1sumimagekey.cer

2af0d97abbb58821650445cd517050fd0cfa2684  imagekey.cer


$ sha256sumimagekey.cer

bab2f722cbba13a73d9af4c17af9c34d62ac71b4c9e8bbb9bac5df1fdceb0261  imagekey.cer


Validating theBoot Loader and the ScreenOS Firmware


There are no code or contents changes on the newly released boot loaders andScreenOS firmwares, these files are signed with the new image key only. Therefore,the version numbers are same as before.

In order to distinguish whether the device is running with old ScreenOSfirmware that is signed with the old image key, you can check the non-zerovalues of the image key using hidden CLI
exec pki test skey command. Refer to 2.Checking the Installed Image Key. Also you can refer to KB29296 - ScreenOS and Boot Loader Checksum Values Signedby Old and New Image Key.

Finally when you feel confident about the integrity of the new image key andknow that the currently running ScreenOS firmware is signed by the old imagekey, you can follow the below steps to install the new image key, and bootloader/ScreenOS firmware that are signed with the new image key.


NOTE: If you manage ScreenOS devices using NSM, please refer to
KB29456, which includes an application note -Upgrading ScreenOS through NSM(supplement of TSB16495).

1. Saving theConfiguration

Before you proceed the following steps,please make sure to backup the configuration, you can do it through either theWebUI and the CLI.

On the WebUI, navigate to Configuration > Update > ConfigFile > click "Save to File"


On the CLI, type
save config to tftp <IP address of TFTP server><config filename>

For example,

SSG550-> saveconfig to tftp 172.22.152.251 ssg550_config_backup

Read the currentconfig.

Save configurations (3064 bytes) tossg550_config_backup on TFTP server 172.22.152.251.

!!!!!!!!!!!!!!

tftp transferredrecords = 6

tftp success!


TFTP Succeeded



2. Checking the Installed Image Key

If an image keyis already installed, you will see output similar to the below (non-zerovalues). If the output shows all zero (0), then there is no installed imagekey.

NOTE: The device cannot store more than one image key. When you install the newimage key, it overwrites the previous key. The installation status of the imagekey can be checked through hidden CLI
exec pki test skey command only.


SSG550-> execpki test skey


(snip)


KEY1  N/A len =432

308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0

KEY2  N/A len =432

308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0

KEY3  N/A len =432

308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0




NOTE: The above non-zero values are indicating the old image key (308201a
c ....). If you wish to update theimage key to the new key, then go to next step 3. Updating the ImageKey. The new image key’s values are starting with (308201ad....) from left to right direction. Ifthe new image key is installed already, then go to step 4. UpgradingScreenOS.

The following example shows that an image key is not installed (all zerovalues).


SSG550-> execpki test skey


(snip)


KEY1  N/A len =0

0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234

KEY2  N/A len =0

0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234

KEY3  N/A len =0

0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234




NOTE: If no image key is installed and you do not want to authenticate the bootloader (for ISG Series and NetScreen Series only) and ScreenOS in future, skipStep 3. Updating the Image Key.

3. Updating theImage Key

If a WebUIaccess or a TFTP server is available, you can install the new image key throughthe WebUI or the CLI.

On the WebUI :

1.
Download the new image key(imagekey.zip)
o
New Image Key (download)
2.
Save it to accessible local storage
3.
Decompress downloaded .zip file
4.
Login to the device.
5.
Navigate to ''Configuration > Update > ScreenOS/Keys''using the navigation tree on the left side of the screen
6.
Select the ''Image Signature KeyUpdate'' radio button and click Browse
7.
Navigate to the location where the saveddecompressed imagekey.cer and click Open
8.
Click Apply



On the CLI :

1.
Download the new image key(imagekey.zip)
o
New Image Key (download)
2.
Decompress downloaded .zip file
3.
Save decompressed imagekey.cer to TFTPserver
4.
Make a console, Telnet, or SSHconnection to the Juniper Networks security device
5.
Login to the device
6.
Type save image-key tftp (IP address of tftpserver) imagekey.cer command

For example,

SSG550-> saveimage-key tftp 172.22.152.251 new/imagekey.cer

Load file  from TFTP 172.22.152.251 (file:new/imagekey.cer).

!!!!!

tftp receivedoctets = 863

tftp success!

Done


TFTP Succeeded



If the image key is installed successfully, you will see output similar to thebelow (non-zero values). If the output shows all zero (0), then the image keyis not installed.


SSG550-> execpki test skey


(snip)


KEY1  N/A len =433

308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0

KEY2  N/A len =433

308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0

KEY3  N/A len =433

308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0




If only a CLI access is available without TFTP server, you cannot install thenew image key, then delete the installed old image key using CLI
delete crypto auth-key command and go to next step 4.Upgrading ScreenOS.
The following example shows that no image key is available after deleting theimage key.


SSG550-> deletecrypto auth-key

SSG550-> execpki test skey


(snip)


KEY1  N/A len =0

0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0

KEY2  N/A len =0

0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0

KEY3  N/A len =0

0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0



NOTE: Please do not execute CLI
delete crypto file command. It will delete all cryptofiles in the device that might be used for other services.

NOTE: You cannot delete image key through WebUI.


4. UpgradingScreenOS


On ISG1000/2000, NS5200/NS5400 (boot loader upgrade is required) :

In general you must have a console connection and a TFTP server that can bereachable through the ‘mgt’ interface because the device will prompt you toinstall a boot loader if it cannot authenticate the installed boot loader usingthe new image key. While the device boots up, it checks the integrity ofinstalled boot loader and ScreenOS firmware. However, the special ScreenOSfirmwares (6.3.0r17-dht1.0 and 6.2.0r18-crq1.0) includes a new CLI command toupdate the bootloader on the CLI without a console connection via TFTPserver.

For more information of the special ScreenOS firmware, please refer to
KB29456- How to Upgrade Bootloader (OS Loader) Without a Console Connection onISG1000/2000 and NS5200/5400.


NOTE: If the old image key is deleted using CLI
delete crypto auth-key command, the device skips integrity checkof the boot loader and ScreenOS firmware while boots up. You will see Ignoreimage authentication! message on the console while the device bootsup.





【大侠唐在飞出品网络教学视频课程 】
天下风云出我辈, 一入江湖岁月催。当年的“小侠唐在飞” 如今变成了“大侠唐在飞”。♫金杯银杯,不如网友的口碑;金奖银奖,不如网友的褒奖;熊掌鸭掌,不如网友的鼓掌~   
☺欢迎加入“唐志强技术教学交流群”,群号:67182271。   ♥【51CTO最受欢迎讲师投票开启了。找到--大侠唐在飞,投下一票吧。每天可投一次
引用:
原帖由 小侠唐在飞 于 2017-12-19 20:51 发表
在14年8月18日后所产的机器都需要更新boot loader和新的证书,不更新证书,是安装不上ScreenOS的。
juniper SSG系列所有的Update,和非硬件设备的故障,都可以解决了,比如说,指示灯常亮,进不了设备的系统。可以先导入证书,然后再 ...
非常感谢!我先试试!



重新更新OS后,无法进入WEB,用IE显示不了左边,用goolge不能打开,如下图,是不是与Image Key有关系?
4444.jpg (65.58 KB)

2017-12-25 11:31

4444.jpg

5555.jpg (28.72 KB)

2017-12-25 11:31

5555.jpg

6666.jpg (13.54 KB)

2017-12-25 11:31

6666.jpg




引用:
原帖由 stk99999 于 2017-12-25 11:31 发表
重新更新OS后,无法进入WEB,用IE显示不了左边,用goolge不能打开,如下图,是不是与Image Key有关系?
简单。。换IE版本,或是火狐 、谷歌。
与key 无关
key 是用来认证固件是否为原装的



【大侠唐在飞出品网络教学视频课程 】
天下风云出我辈, 一入江湖岁月催。当年的“小侠唐在飞” 如今变成了“大侠唐在飞”。♫金杯银杯,不如网友的口碑;金奖银奖,不如网友的褒奖;熊掌鸭掌,不如网友的鼓掌~   
☺欢迎加入“唐志强技术教学交流群”,群号:67182271。   ♥【51CTO最受欢迎讲师投票开启了。找到--大侠唐在飞,投下一票吧。每天可投一次
另外 ,你可以升级了。这时要注意!!
1、loader
2、key
3、固件三个一起升级。。



【大侠唐在飞出品网络教学视频课程 】
天下风云出我辈, 一入江湖岁月催。当年的“小侠唐在飞” 如今变成了“大侠唐在飞”。♫金杯银杯,不如网友的口碑;金奖银奖,不如网友的褒奖;熊掌鸭掌,不如网友的鼓掌~   
☺欢迎加入“唐志强技术教学交流群”,群号:67182271。   ♥【51CTO最受欢迎讲师投票开启了。找到--大侠唐在飞,投下一票吧。每天可投一次
引用:
原帖由 小侠唐在飞 于 2017-12-19 20:52 发表
How to Update theNew Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware
                                                                               [TSB16495]  Show KB Properties    ...
大侠出手,就是不凡~



51CTO论坛有移动端啦!扫码下载体验就送月会员哦!
引用:
原帖由 咖啡 于 2017-12-26 14:56 发表

大侠出手,就是不凡~
这是基本的内容。。



【大侠唐在飞出品网络教学视频课程 】
天下风云出我辈, 一入江湖岁月催。当年的“小侠唐在飞” 如今变成了“大侠唐在飞”。♫金杯银杯,不如网友的口碑;金奖银奖,不如网友的褒奖;熊掌鸭掌,不如网友的鼓掌~   
☺欢迎加入“唐志强技术教学交流群”,群号:67182271。   ♥【51CTO最受欢迎讲师投票开启了。找到--大侠唐在飞,投下一票吧。每天可投一次
引用:
原帖由 小侠唐在飞 于 2017-12-26 16:01 发表

这是基本的内容。。



51CTO论坛有移动端啦!扫码下载体验就送月会员哦!
‹‹ 上一贴:防火墙是否建议配置大量限速策略??? ...   |   下一贴:srx3600防火墙端口删除后无法使用问题-求助‘【已解决 ... ››
  发新话题
快速回复主题
关于我们 | 诚聘英才 | 联系我们 | 网站大事 | 友情链接 |意见反馈 | 网站地图
Copyright©2005-2017 51CTO.COM
本论坛言论纯属发布者个人意见,不代表51CTO网站立场!如有疑义,请与管理员联系:bbs@51cto.com