Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Upgrade BIOS and Firmware (SRX Series Firewall Only)

Learn how to upgrade BIOS and Firmware for SRX Series Firewall.

BIOS Upgrades on SRX Series Firewalls

Manual BIOS Upgrade Using the Junos CLI

On SRX300 Line of Series Firewall devices, the BIOS consists of a U-boot and the Junos loader. Additionally, a backup BIOS is supported which includes a backup copy of the U-boot in addition to the active copy from which the system generally boots up.

Table 1 Lists the CLI commands used for manual BIOS upgrade.

Table 1: CLI Commands for Manual BIOS Upgrade

Active BIOS

Backup BIOS

request system firmware upgrade re bios

request system firmware upgrade re bios backup

BIOS upgrade procedure:

  1. Install the jloader-srxsme package.

    1. Copy the jloader-srxsme signed package to the device. The version of the jloader-srxsme package you install must match the version of Junos OS.

    2. Install the package using the request system software add <path to jloader-srxsme package> no-copy no-validate command.

      Installing the jloader-srxsme package places the necessary images under directory/boot.

  2. Verify that the required images for upgrade are installed. Use the show system firmware to verify that the correct BIOS image version is available for upgrade.

  3. Upgrade the BIOS (Active and backup) image.

    Active BIOS:

    1. Initiate the upgrade using the request system firmware upgade re bios command.

    2. Monitor the upgrade status using the show system firmware command.

      The device must be rebooted for the upgraded active BIOS to take effect.

    Backup BIOS:

    1. Initiate the upgrade using the request system firmware upgade re bios backup command.

    2. Monitor the upgrade status using the show system firmware command.

Auto BIOS Upgrade Methods on SRX Series Firewalls

The BIOS version listed in the bios-autoupgrade.conf file is the minimum supported version. If the current device has a BIOS version earlier than the minimum compatible version, then the auto BIOS upgrade feature upgrades the BIOS automatically to the latest version.

The BIOS upgrades automatically in the following scenarios:

  • During Junos OS, upgrade either through the J-Web user interface or the CLI (using the request system software add no-copy no-validate software-image). In this case, only the active BIOS is upgraded.

  • During loader installation using TFTP or USB (using the install tftp:///software-image command). In this case, only the active BIOS is upgraded.

  • During system boot-up. In this case, both the active BIOS and the backup BIOS are upgraded.

Disable Auto BIOS Upgrade on SRX Series Firewalls

The auto BIOS upgrade feature is enabled by default. You can disable the feature using the CLI in configuration mode.

To disable the automatic upgrade of the BIOS on an SRX Series Firewall, use the chassis routing-engine bios command as following:

The command disables automatic upgrade of the BIOS only during Junos OS upgrade or a system boot-up. It does not disable automatic BIOS upgrade during loader installation.

The set chassis routing-engine bios uninterrupt command is introduced on SRX300, SRX320, SRX340, and SRX345 devices to disable user inputs at U-Boot and boot loader stage. The set chassis routing-engine bios uninterrupt command is introduced for SRX380 Series devices.

The set chassis routing-engine bios uninterrupt is available on vSRX3.0 devices.

The set chassis routing-engine bios uninterrupt command can be used on SRX300, SRX320, SRX340, and SRX345, devices to disable user inputs at U-Boot, boot loader and Junos-Kernel boot stage. The set chassis routing-engine bios uninterrupt command is introduced in Junos OS on SRX380 Series devices.

To disable the user inputs at U-Boot, boot loader and Junos Kernel boot stage, use the chassis routing-engine bios command as following:

Install U-Boot version 3.2 or later and loader version 2.9 or later on SRX Series Firewalls to disable user inputs at the U-Boot and boot loader stage with the chassis routing-engine bios command.

You can check the version number at console output when your device boots up as shown in the following sample:

You can also check the U-Boot and loader version at Junos shell prompt as shown the following sample:

On SRX Series Firewalls, if both set system ports console insecure and set chassis routing-engine bios uninterrupt options are configured, no alternative recovery method is available if the Junos OS fails to boot and the device becomes unusable.

Related Documentation