Bitworks Stone Garden

Juniper upgrade resolution

Some time ago we became happy owners of 3 units of Juniper NetScreen 208 Advanced appliances. Historicaly our company used to protect perimeter with GNU/Linux router with Iptables & Iproute2 enabled. But we have decided to launch new cooperative start-up with our partner ISP.

Thus we decided to move from PC (even server, but still PC architecture) to professional network routing/firewall equipment with all necessary functions like firewall, tunneling, advanced routing, VLAN support and so on, easy maintainable, high reliability. After deep analysis of competitive equipment we have choosen Juniper NetScreen 208 - firewall/VPN appliance with required performance and function set. These devices are little bit outdated but still very powerfull and high performance and suit for our purposes well.

You can review the characteristics of these devices in the technical sheet: juniper-netscreen-204-208. There is more than enough for our purposes. We have acquired 3 units of NS 208 to build network with 2 firewall perimeter and 1 DMZ between. 1 unit we have decided to hold reserved.

But after connecting the devices we have found a problem. One of them had the last firmware available (5.4.0) and other has very outdated firmware (4.0.3) and we was unable to use the second because it has a lot of known bugs. So we have decided to upgrade to 5.4.0 firmware from first device. First of all we have extracted the firmware from the first device and tried to upload it to second one. But we failed. The device said “Firmware image is too large!”. We have checked the hardware version on both devices and found the same one. To answer our question “Why?” we have found several articles which said “Use intermediate versions of firmware to upgrade.”. When we have tried to find some intermediate versions we have failed again because there is no available in the internet and Juniper avoids to publish them to protect customers. We have contacted our local Juniper partner and they offered to buy several thousand dollar contract for support (even if we don’t need it) and they will provide us with firmware. We even tried to hire electronic engineers to copy whole flash memory from one device to another. But…

We have found the device is able to boot from network via tftp. We tried to boot from network 5.4.0 firmware and it did it successfuly, after booting the kernel became to upgrade filesystem and run well. Under the last kernel we have installed it from tftp to flash and it installed well again. So we begun to build perimeter and saved a lot of money.