Updating BIOS and the Intel Management Engine firmware

This section describes the procedure of updating BIOS on an SN3100 firewall to version R2.30 in console mode by using a USB drive.

Connecting devices to SNS firewalls

  • Connect the computer to the SNS firewall with the help of an RJ45 to RS232 serial cable, and an RS232 to USB-A cable.

    - or -

  • Connect a USB keyboard and a monitor to the SNS firewall using an HDMI cable.
Front panel Rear panel

1 : RJ45 serial port in console mode

2 : USB 3.0 port

1 : On/off button

2 : HDMI port: for plugging in the monitor

3 : Mains sockets for redundant power supplies

Checking the current BIOS version

  1. Log in to the SNS firewall system in console or SSH mode.
  2. Authenticate by using the admin account on the SNS firewall system.

  3. Enter the command:

    dmidecode -s bios-version

    The SNS firewall should show version R1.06. If version R1.04 is displayed, you will first need to update BIOS to version R1.06, by following the procedure in the section Updating BIOS to version R1.06.

Disabling Secure Boot

The update procedure requires Secure Boot to be disabled so that the SNS firewall can start up on the USB drive that was prepared earlier . This feature is disabled by default on SN3100 firewalls. If it had been enabled on your firewall, you need to disable it.

To disable Secure Boot, refer to the technical note Managing Secure Boot in SNS firewalls' UEFI.

Updating BIOS

IMPORTANT
The update process is fully automatic and lasts around five minutes.
Once the process is run, it must never be interrupted, and the firewall must not be disconnected from the power supply. If this occurs, your firewall will be completely unable to run.

  1. As SN3100 firewalls have two internal power supply units to provide a redundant power supply, ensure that you have plugged in both power cords to the electrical mains.
  2. Insert the USB drive that was prepared earlier into a USB port.

  3. Restart the SNS firewall by using the command:

    reboot

  4. In the command prompt, type fs0: or fs1: to reach the USB drive and check its contents. Locate the executable: Flash3100_R230.nsh.

    If the location of the USB drive is unknown, check the contents of each location by using the command:

    ls

  5. In the command prompt, run the executable file:

    Flash3100_R230.nsh

    The update process will then start:

    In the command prompt, run the executable file Flash_SNL_R103.nsh

  6. When the update is complete, restart the SNS firewall by using the command:

    reset

Updating the Intel Management Engine firmware

  1. In the command prompt, run the executable file:

    Flash3100_ME2024.nsh

    The update process will then start:

    Running the executable file Flash_ME_SNL.nsh in the command prompt

  2. When the update is complete, shut down the SNS firewall by using the command:

    reset -s

  3. Unplug both power cables from the SNS firewall.
  4. Unplug the USB drive from the SNS firewall.
  5. Wait five minutes.
  6. Plug in both power cables.
  7. Start the SNS firewall by holding down the Power button located on the rear panel.

Checking the BIOS and Intel Management Engine firmware versions after the update

  1. Once the SNS firewall starts up, press [Del] several times to stop the startup sequence, and access BIOS.
  2. Go to the Main tab and check the following versions:
    1. BIOS Version field: the version that appears should be R2.30.
    2. ME Firmware Version field: the version that appears should be 12.0.95.2489.
  3. Quit BIOS.

Required operations following an update

Once you have updated BIOS, launch the following operations, in this order.

Configuring the password to access the UEFI control panel

If you had set a password to access the UEFI control panel, this password will be deleted. To set a new password, refer to the technical note Protecting access to the configuration panel of the UEFI on SNS firewalls.

Enabling Secure Boot

This feature is disabled by default on SN3100 firewalls. If it had been enabled on your firewall, you need to enable Secure Boot again by referring to the technical note Managing Secure Boot in SNS firewalls' UEFI.

Resealing the TPM

If you had initialized the TPM, the features that use certificates with TPM-protected private keys (VPN, those managed by an SMC server, etc.) will no longer function. To restore the features in question, follow one of the procedures below to reseal the TPM.

From the web administration interface

This use case is exclusive to SNS 4.8.7 and higher versions.

  1. Log in to the SNS firewall web administration interface. A window prompts you to seal the TPM module of the SNS firewall.

    Password window to seal the TPM

  2. Enter the TPM module administration password in the relevant field.
  3. Click on OK.
  4. If the SNS firewall is part of a high availability cluster, a second window prompts you to seal the TPM module of the passive firewall. Enter the TPM module administration password and click on OK.

From the CLI console

  1. Seal the TPM on the SNS firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password>

    Replace <password> with the TPM module administration password.

  2. If the SNS firewall is part of a high availability cluster, seal the TPM on the passive firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password> serial=passive