From securityrouter.org, an OpenBSD-based firewall
Revision as of 12:47, 9 April 2014 by Anders (talk | contribs)
Jump to: navigation, search
Supervising the update from a VMware console
The internet connection settings for the recovery firmware are auto-filled from the configuration on the web admin's update page

Software update is an important part of maintaining high security in your network. Updates are released on regular basis with no strict schedule to allow fast updates when possible threats arise. Updates are complete system images that are downloaded by the "recovery firmware" directly to the (normally read-only) system disk (CF, USB, etc) from our update servers (account for an estimate download size of 100MB). The advantage of "complete system image" updates (that overwrites the entire system disk) is that every appliance is known to be exactly identical.

All that is necessary to update is a working Internet connection, and the process typically takes 5-10 minutes depending on internet connection speed and update method.

Before you update

I practice, performing an update is no more complicated than pressing a button in the web administration, and waiting. However, in order to be prepared for the unexpected, following the guidelines below are recommended (in case something breaks).

  • Make an external backup (export; copy-paste for example) of your configuration before updating
  • Dedicate a possible maintenance window of at least an hour, even though the process typically takes 5 minutes
  • If you're running in a virtualised environment, take a snapshot of the machine, and merge the snapshot after verifying that it works
  • Be prepared to access the video/serial console in case of failure

Standard (cached) update

If your system disk (CompactFlash, USB stick or virtual disk) is at least 1 GB, or you've attached a storage (USB or virtual) disk, it's possible to pre-download the system image before booting into the recovery OS. This is the recommended update method, especially for setups that use eg. PPPoE or other connection methods which are not available in the recovery OS.

Streaming update

If you're unable to use the normal (cached) update method, you can perform a streaming update. The system will reboot to the "recovery firmware" partition, erase the system partition (leaving the configuration partition intact), downloading and writing the image to the system partition while verifying its SHA256 checksum, and finally rebooting back to the newly created system partition when done, resuming normal operations.


There are three ways of initialising an update.

  • From the web administration; System > Software update
  • On boot, by pressing "f" (generally any key) when prompted, and then in the recovery OS console type "update" and follow the instructions
  • From the CLI using the syntax:
Syntax Example
software-update storage software-update storage
software-update stream interface dhcp-client software-update em0 dhcp-client
software-update stream interface address gateway dns software-update em0