Updating BIOS from the web administration interface

This section describes the procedure of updating BIOS on an SN-L-Series (SN-L-Series-2200SN2200 and SN-L-Series-3200SN3200) model firewall to version R1.06 from the web administration interface.

Required equipment

  • A computer with access to the SN-L-Series firewall's web administration interface from a compatible web browser.

Important information regarding certain SNS firewall features

These features need to be configured again after a BIOS update:

  • Password to access the UEFI control panel: if one has been configured, it will be deleted if BIOS is being updated from version R1.02. You will need to set it again. As of version R1.05, passwords will be retained.

  • TPM: if you had initialized the TPM, the features that use certificates with TPM-protected private keys (VPN, SMC-managed firewall, etc.) will no longer function. Reseal the TPM to restore the features in question.

These procedures are described in the section Required operations following an update.

Downloading the BIOS update file

  1. In your MyStormshield area, go to Downloads STORMSHIELD NETWORK SECURITY > TOOLS > STORMSHIELD NETWORK SECURITY - TOOLS.
  2. Download the .maj file SN-L-Series BIOS R106 remote update by clicking on its name.

  3. Verify the integrity of the downloaded file using its SHA256 hash:

    fb20eb816cea7f27e805b6b6d4702c21e9c138f330a14c62a18b9079490094f0

The downloaded .maj file contains the BIOS update and Intel Management Engine firmware.

Updating BIOS and the Intel Management Engine firmware

Checking the current BIOS version

As of SNS versions 4.8.13 LTSB and 4.3.41 LTSB, the BIOS version can be checked in the CLI console:

  1. In the SNS firewall's web administration interface, go to Configuration > System > CLI console.

  2. Enter the command:

    SYSTEM PROPERTY

    The BIOSVersion configuration token should show version R1.02 or R1.05.

In earlier SNS versions, the version has to be checked in the console or SSH:

  1. Log in to the SNS firewall system in console or SSH mode.
  2. Authenticate by using the admin account on the SNS firewall system.

  3. Enter the command:

    dmidecode -s bios-version

    The SNS firewall should show version R1.02 or R1.05.

Updating BIOS and the Intel Management Engine firmware

IMPORTANT
The update process is automatic and lasts around five minutes. Once the process is run, it must never be interrupted, and the SNS firewall must not be disconnected from the power supply. If this occurs, the SNS firewall will be completely unable to run.

  1. In the SNS firewall's web administration interface, go to Configuration > System > Maintenance, System update tab.
  2. Select the update file (.maj) that was downloaded earlier.
  3. Expand the Advanced properties section, and unselect Save the active partition on the backup partition before updating the firewall.

  4. Click on Update firmware.

    Window to select the update file (.maj) on the SNS firewall

  5. Wait while the update proceeds. A pop-up window indicates the progress of the update. During the update, the SNS firewall will restart several times, which is normal.

    By going back to the page to connect to the firewall's web administration interface, the SNS firewall will indicate that the update is complete.

Required operations following an update

Once the update is complete, launch the following operations, in this order.

Configuring the password to access the UEFI control panel

If you had set a password to access the UEFI control panel, the password will be deleted if BIOS is being updated from version R1.02. To set a new password, refer to the technical note Protecting access to the configuration panel of the UEFI on SNS firewalls.

If BIOS is being updated from version R1.05, you do not need to perform any operation as the password will be retained.

Resealing the TPM

If you had initialized the TPM, the features that use certificates with TPM-protected private keys (VPN, SMC-managed firewall, etc.) will no longer function. To restore the features in question, follow one of the procedures below to reseal the TPM.

From the web administration interface

This use case is exclusive to SNS 4.8.7 and higher versions.

  1. Log in to the SNS firewall web administration interface. A window prompts you to seal the TPM module of the SNS firewall.

    Password window to seal the TPM

  2. Enter the TPM module administration password in the relevant field.
  3. Click on OK.
  4. If the SNS firewall is part of a high availability cluster, a second window prompts you to seal the TPM module of the passive firewall. Enter the TPM module administration password and click on OK.

From the CLI console

  1. Seal the TPM on the SNS firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password>

    Replace <password> with the TPM module administration password.

  2. If the SNS firewall is part of a high availability cluster, seal the TPM on the passive firewall with the command:

    SYSTEM TPM PCRSEAL tpmpassword=<password> serial=passive