Updating BIOS to version R2.30 from the web administration interface

This section describes the procedure of updating BIOS on an SN3100 firewall to version R2.30 from the web administration interface.

Required equipment

  • A computer with access to the SN3100 firewall's web administration interface from a compatible web browser.

  • An SN3100 model firewall running in BIOS version R1.06 exclusively.

Important information regarding certain SNS firewall features

These features need to be configured again after a BIOS update:

  • Password to access the UEFI control panel: if you have set one, it will be deleted during the BIOS update. You will need to set it again.

  • Secure Boot: This feature is disabled by default on SN3100 firewalls.

    If it had been enabled it on your firewall, and you have just updated BIOS from an R1.04 version to version R1.06, you will need to enable Secure Boot again after the update to version R2.30.

  • TPM: if you had initialized the TPM, the features that use certificates with TPM-protected private keys (VPN, those managed by an SMC server, etc.) will no longer function. Reseal the TPM to restore the features in question.

These procedures are described in the section Required operations following an update.

Downloading the BIOS update file

  1. In your Mystormshield area, go to Downloads STORMSHIELD NETWORK SECURITY > TOOLS > STORMSHIELD NETWORK SECURITY-TOOLS.
  2. Download the .maj file SN3100 BIOS R230 remote update by clicking on its name.

  3. Verify the integrity of the downloaded file using its SHA256 hash:

    a5d2d5f0aaf1328939bebe4bab94d3a9a22e185b127da3dfd521e1f3732d26de

The downloaded .maj file contains the BIOS update and Intel Management Engine firmware update.

Updating BIOS and the Intel Management Engine firmware

Checking the current BIOS version

As of SNS versions 4.8.13 LTSB and 4.3.41 LTSB, the BIOS version can be checked in the CLI console:

  1. In the SNS firewall's web administration interface, go to Configuration > System > CLI console.

  2. Enter the command:

    SYSTEM PROPERTY

    The BIOSVersion configuration token should show version R1.06. If version R1.04 is displayed, you will first need to update BIOS to version R1.06, by following the procedure in the section Updating BIOS to version R1.06.

In earlier SNS versions, the version has to be checked in the console or SSH:

  1. Log in to the SNS firewall system in console or SSH mode.
  2. Authenticate by using the admin account on the SNS firewall system.

  3. Enter the command:

    dmidecode -s bios-version

    The SNS firewall should show version R1.06. If R1.04 is displayed, you will first need to update BIOS to version R1.06 by following the procedure in the section Updating BIOS to version R1.06.

Updating BIOS and the Intel Management Engine firmware

IMPORTANT
The update process is automatic and lasts around five minutes. Once the process is run, it must never be interrupted, and the SNS firewall must not be disconnected from the power supply.  If this occurs, the SNS firewall will be completely unable to run.

  1. In the SNS firewall's web administration interface, go to Configuration > System > Maintenance, System update tab.
  2. Select the update file (.maj) that was downloaded earlier.
  3. Expand the Advanced properties section, and unselect Save the active partition on the backup partition before updating the firewall.

  4. Click on Update firmware.

    Window to select the update file (.maj) on the SNS firewall

  5. Wait while the update proceeds. A pop-up window indicates the progress of the update. During the update, the SNS firewall will restart several times, which is normal.

    By going back to the page to connect to the firewall's web administration interface, the SNS firewall will indicate that the update is complete.

Required operations following an update

Once the update is complete, launch the following operations, in this order.

Configuring the password to access the UEFI control panel

If you had set a password to access the UEFI control panel, this password will be deleted. To set a new password, refer to the technical note Protecting access to the configuration panel of the UEFI on SNS firewalls.

Enabling Secure Boot

This feature is disabled by default on SN3100 firewalls. If it had been enabled on your firewall, and you have just updated BIOS from an R1.04 version to version R1.06, you need to enable Secure Boot again by referring to the technical note Managing Secure Boot in SNS firewalls' UEFI.

Resealing the TPM

If you had initialized the TPM, the features that use certificates with TPM-protected private keys (VPN, those managed by an SMC server, etc.) will no longer function. To restore the features in question, follow one of the procedures below to reseal the TPM.

From the web administration interface

This use case is exclusive to SNS 4.8.7 and higher versions.

  1. Log in to the SNS firewall web administration interface. A window prompts you to seal the TPM module of the SNS firewall.

    Password window to seal the TPM

  2. Enter the TPM module administration password in the relevant field.
  3. Click on OK.
  4. If the SNS firewall is part of a high availability cluster, a second window prompts you to seal the TPM module of the passive firewall. Enter the TPM module administration password and click on OK.

From the CLI console

  1. Seal the TPM on the SNS firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password>

    Replace <password> with the TPM module administration password.

  2. If the SNS firewall is part of a high availability cluster, seal the TPM on the passive firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password> serial=passive