HP Security Modules Software Upgrade Guide Part number: 5998-2259 Document version: 6PW103-20130314
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Introduction to Software Upgrade ······························································································································ 1 Overview············································································································································································ 1 Introduction to HP Security Modules ······················································································································ 1 T
Websites································································································································································· 40 Conventions ···································································································································································· 41 Index ························································································································································
Introduction to Software Upgrade Overview Introduction to HP Security Modules Security modules are a new generation of specialized security devices developed by HP. for large enterprises. Network devices installed with Security modules can improve their security capability while forwarding data. The software on Security modules can be upgraded on the console interface or an Ethernet interface.
Files To upgrade the software on Security modules, you need to upgrade and maintain the following three categories of files: • BootWare program file • Application files • Configuration files BootWare program file The BootWare program file on a Security module is used for booting application files and is saved on the Flash of the Security module. The entire BootWare program file contains a basic segment and an extended segment.
• The secure application file is the last resort for the Security module boot. You cannot change the type of the secure application file, or change other types of files to the secure application file. You can only download it using the BootWare menu. • There is only one application file of the same type (M, B, or S) on the CF card. Configuration files The configuration files store configuration information of Security modules.
Upgrade Methods and Flow Upgrade Methods You can upgrade software in one of the following three ways: • Upgrade software on the Web interface. For the upgrade procedure, see “Application Upgrade on the Web Interface”. • Upgrade the BootWare program and an application using Xmodem through the serial interface. For the upgrade procedure, see “Upgrading the BootWare Program and Applications Through the Serial Interface”. • Upgrade applications using TFTP/FTP through an Ethernet interface.
Upgrade Flow Figure 1 Software upgrade flow Specifying Files Specifying a boot file No matter how you upgrade software, use the boot-loader file file-url { main | backup } command in user view to specify a new boot file for the Security module and then restart the switch or router. In the command, • file file-url: Name of the boot file, consisting of 1 to 64 characters. • main: Main application file. • backup: Backup application file.
NOTE: • A boot file is an application file used to boot the Security module. When there are multiple application files on the CF card, you can use the boot-loader command to specify an application file for the next boot. The main application file is used to boot the Security module. The backup application file is used to boot the Security module when the main application file is unavailable. • The SSL VPN modules do not support the boot-loader command.
Application Upgrade on the Web Interface Security modules support Web-based network management. The network administrator can conveniently, visually manage, maintain, and upgrade the modules on the Web interface. Default Web login information is set for Security modules before delivery and you can use the default information to log in to the Web interface.
Step4 Launch the Internet Explorer 6.0 or above on the PC, type the IP address 192.168.0.1 in the address bar and press Enter to enter the Web user login page shown in Figure 2. Enter the username admin, password admin, and verify code, select a language, and click login to log in to the Web interface. Figure 2 Web user login interface Software Upgrade After login, select System Management > Software Upgrade from the navigation tree to enter the page shown in Figure 3.
Field Action Reboot after the upgrade is finished Select this option if you want the Security module to reboot immediately after the software is upgraded.
Software Upgrade in Conventional Methods Security modules provide the BootWare menu and a CLI, through either of which you can configure, manage, and upgrade the modules. NOTE: The upgrade procedures of FW, SSL VPN, LB, and NS modules are similar unless otherwise specified in this chapter. This chapter illustrates the procedures for upgrading the software of an LSR1FW2A1 on the 9500. Preparations for Software Upgrade Before upgrading the software in conventional methods, set up a configuration environment.
Figure 4 Establish a HyperTerminal connection. Step3 From the Connect using dropdown list shown in Figure 5, select the serial interface to which the console cable is connected. Figure 5 Select the serial interface for the HyperTerminal connection Step4 Set serial interface parameters. In the COM1 Properties dialog box shown in Figure 6, set the default serial interface properties listed in Table 5.
Property Value Data bits 8 Parity None Stop bits 1 Flow control None Figure 6 Set serial interface parameters Step5 Click OK to enter the HyperTerminal window shown in Figure 7.
Figure 7 HyperTerminal window Step6 In the HyperTerminal window, select File > Properties > Settings to enter the dialog box shown in Figure 8. Step7 Set the terminal emulation to VT100 or autodetect and click OK to return to the HyperTerminal window.
Introduction to the BootWare Menu Main Menu After the above configurations are completed and the Security module is powered on, the module first performs system initialization. After system initialization, the following information is displayed on the configuration terminal: NOTE: For different Security modules or different versions of BootWare programs, the information displayed on the configuration terminal may slightly differ. System start booting... Booting Normal Extend BootWare....
Press Ctrl+B when “Press Ctrl+B to enter extended boot menu...” appears, and the Security module prompts: Please input BootWare password: You are required to enter the BootWare password. (Note: The initial BootWare password is null. You have three attempts to enter the correct BootWare password. A fourth attempt will make the module halt and you need to restart the module to enter the correct password.
Menu item Description Clear the super user password. The super user password is required in user level switching. <8> Clear Super Password By default, no super user password is set. The setting is valid only for the first reboot of the Security module and the super user password will be restored next time the Security module reboots. <9> Storage Device Operation Enter the storage device operation submenu to select applications from a storage device to boot the Security module.
| <2> Update Main Application File | | <3> Update Backup Application File | | <4> Update Secure Application File | | <5> Modify Ethernet Parameter | | <0> Exit To Main Menu | | < Ensure The Parameter Be Modified Before Downloading! > | ============================================================= Enter your choice(0-5): Table 8 describes the Ethernet submenu items.
BootWare Operation Submenu Select 7 on the main menu to enter the BootWare operation submenu. ========================================= |Note:the operating device is cfa0 | | <1> Backup Full BootWare | | <2> Restore Full BootWare | | <3> Update BootWare By Serial | | <4> Update BootWare By Ethernet | | <0> Exit To Main Menu | ============================================================= Enter your choice(0-4): Table 10 describes the BootWare operation submenu items.
Upgrading the BootWare Program and Applications Through the Serial Interface NOTE: The Security modules for the 5800 series switches do not support upgrading the BootWare program and applications through the serial interface. Introduction to Xmodem You need to use the Xmodem protocol when upgrading the BootWare program and applications through the serial interface (console interface). Xmodem is a file transfer protocol widely used for its simplicity and good performance.
Step3 Select a proper baud rate, 5 for example for the baud rate of 115200 bps. The following information is displayed: Baudrate has been changed to 115200 bps. Please change the terminal's baudrate to 115200 bps, press ENTER when ready. At this time, the baud rate of the serial interface on the Security module is modified to 115200 bps, while that of the HyperTerminal is still 9600 bps. Therefore, the Security module and the HyperTerminal cannot communicate with each other.
Figure 10 Modify the baud rate on the HyperTerminal Step6 Select Call > Call to re-establish a call connection. Figure 11 Re-establish a call connection Step7 Press Enter. You can see the current baud rate and return to the upper level menu.
NOTE: After you download files at the modified baud rate to upgrade applications, restore the baud rate on the HyperTerminal to 9600 bps in time, so as to ensure the normal display on the screen when the Security module boots or reboots. Upgrading Applications You can upgrade applications on the serial submenu when upgrading them through the serial interface. Step1 Select 2 on the main menu to enter the serial submenu. For more information about the serial submenu, see “Serial Submenu”.
Figure 13 Sending file dialog box After the file is downloaded, the following information is displayed on the configuration terminal: Download successfully! 10129792 bytes downloaded! NOTE: • The size of an application is often over 10 MB. Even if the baud rate is set to 115200 bps, it usually takes about 30 minutes to upgrade the application through the serial interface. Therefore, you are recommended to upgrade applications through an Ethernet interface.
Step2 Select 1. The following information is displayed: Waiting ...CCCCCCCCCCCCCCCCCCCCCCCCC... Step3 Select Transfer > Send file in the HyperTerminal window. The following dialog box appears: Figure 14 Send File dialog box Step4 Click Browse… to select the application file to be downloaded, and select Xmodem from the Protocol dropdown list.
NOTE: • The BootWare program is automatically upgraded when applications are upgraded, that is, you do not need to upgrade the BootWare program separately. • The file name, size, and path in the above figures may vary. Check the current BootWare and application versions before upgrading them. • If you upgraded the extended segment, you only upgrade part of the BootWare program. Once an error occurs, you can start the BootWare upgrade process again.
===================================== Note: '.' = Clear field. '-' = Go to previous field. Ctrl+D = Quit. ============================================================= Protocol (FTP or TFTP):tftp Load File Name :main.bin :main.bin Target File Name :main.bin :main.bin Server IP Address :192.168.80.200 Local IP Address :192.168.80.
NOTE: • To use the default parameter after a colon, press Enter directly. • If the Ethernet port parameter settings fail to pass CRC check, the system adopts the default settings and displays “Check net params crc error, use the default value.” Step3 After the above configurations, you will return to the Ethernet submenu, where you can select 2 to upgrade the main application file. Loading................................... done 10129712 bytes downloaded! Updating File cfa0:/main.bin .........
Use the dir command to query the files in the current file system and the available space on the CF card to prepare for application upgrade. dir Directory of cfa0:/ 0 -rw- 10867848 Jun 13 2007 13:21:20 main.bin 1 -rw- 4722 Jun 26 2007 12:55:42 config.cfg 2 -rw- 1128 Jun 27 2007 11:07:24 startup.cfg 3 -rw- 10129712 Jun 27 2007 10:26:02 update.bin 4 drw- - Jun 02 2007 18:28:14 logfile 62472 KB total (41855.
Step4 Back up application files. Using TFTP, you can upload application files from the Security module to the TFTP server for the backup purpose. # Upload the main.bin file from the Security module to the TFTP server and save it as main.bin. tftp 192.168.80.200 put main.bin main.bin File will be transferred in binary mode Sending file to01 remote tftp server. Please wait... TFTP: 10867848 bytes sent in 0.01 second(s). File uploaded successfully.
WARNING! • The FTP server program is not shipped with the Security module and you need to purchase and install it. • When you upgrade application files using FTP on the BootWare menu, use Ethernet interface GigabitEthernet 0/2 on the Security module except the SSL VPN module.
[ftp] Step4 Upgrade applications. Using FTP, you can download application files from the FTP server to overwrite existing application files on the Security module to implement application upgrade. The upgraded application files take effect at the next boot. # Download the main.bin file from the FTP server to the Security module. [ftp] get main.bin main.bin cfa0:/main.bin has been existing.
Step2 • Configure IP addresses for the Security module and the PC and ensure that they are on the same network segment. In this example, the IP address of Ethernet interface GigabitEthernet 0/1 on the Security module is 192.168.80.10 and that of the PC is 192.168.80.200. • Use the ping command to check the connectivity between them. Enable the FTP service. # Enable the FTP server. [HP] ftp server enable # Configure an FTP username and password.
150 Opening BINARY mode data connection for main.bin. 226 Transfer complete. FTP: 11673608 byte(s) sent in 7.648 second(s), 1526.00Kbyte(s)/sec NOTE: • When you upgrade an application file, if the file name already exists on the FTP server, the existing file will directly be overwritten. • You can upgrade configuration files in the way you upgrade application files. You can use a text editor to modify a configuration file.
Displaying all files Select 1 on the file control submenu. The following information is displayed: Display all file(s) in cfa0: 'M' = MAIN 'B' = BACKUP 'S' = SECURE 'N/A' = NOT ASSIGNED ============================================================= NO. Size(B) Time 1 10129712 Apr/11/2007 05:39:50 B Type Name cfa0:/main.bin 2 1227 May/11/2007 16:25:52 N/A cfa0:/startup.cfg 3 2294 May/11/2007 14:47:32 N/A cfa0:/~/startup.cfg 4 2094 May/11/2007 13:47:34 N/A cfa0:/~/startup_bac.
The file you selected is cfa0:/~/startup_bac.cfg,Delete it? [Y/N] Step3 Enter Y. The following information appears, indicating the file is successfully deleted. Deleting......... Done! Maintaining Files at the CLI Displaying all files Use the dir command to display all files on a Security module. dir Directory of cfa0:/ 0 drw- - Jun 11 2007 19:09:42 logfile 1 -rw- 10867848 Jun 13 2007 13:21:20 main.bin 2 -rw- 1128 Jun 27 2007 11:07:24 startup.
Dealing With Password Loss This section tells you what to do if you forget the BootWare password, user password, or super password of a Security module. User Password Loss If you forget your user password, you will be refused to log in to the Security module. In this case, you can ignore the current configuration to boot the Security module and set a new user password as follows: Step1 Select 6 on the main menu to ignore the current configuration in Security module boot.
Step1 Select 5 on the main menu to modify the BootWare password as prompted. The following information is displayed: please input old password: Step2 Enter the old BootWare password: please input old password: ****** NOTE: • If you enter the old BootWare password incorrectly, “Wrong password, Please input password again:” appears. • After three attempts to enter the correct old BootWare password, “Wrong password, system halt.” appears and the Security module halts.
Backing Up and Restoring the BootWare Program File Select 7 on the main menu to enter the BootWare operation submenu. For more information, see “BootWare Operation Submenu”. Backing Up the Entire BootWare Program File Backing up the entire BootWare program file on the BootWare menu To back up the entire BootWare program file, you need to first back up the basic segment and then the extended segment as follows: Step1 Select 1 on the BootWare operation submenu.
Will you restore the Basic BootWare? [Y/N] Step2 Enter Y. Begin to restore Normal Basic BootWare.................... Done! By now, the basic segment has been restored. Then, a question is displayed: Will you restore the Extend BootWare? [Y/N] Step3 Enter Y. Begin to restore Normal Extend BootWare.................... Done! By now, the extended segment has been restored. Restoring the entire BootWare program file at the CLI You can use the following command to restore the entire BootWare program file.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index BDEFIMRSTUW B S Backing Up the Entire BootWare Program File,38 Serial Submenu,16 BootWare Operation Submenu,18 Specifying Files,5 BootWare Password Loss,36 Storage Device Operation Submenu,18 D Subscription service,40 Super Password Loss,37 Documents,40 T E Types of Security Modules,1 Ethernet Submenu,16 U F Upgrade Flow,5 File Control Submenu,17 Upgrade Methods,4 Files,2 Upgrading Application Files with TFTP at the CLI,27 I Upgrading Applications,22 Introduction to HP Security
