Save Firmware to TFTP

How are you comparing the file sizes?  Sometimes, the file size may differ depending on the OS, and that's why we post the MD5 checksum on the web site.  Verify the MD5 checksum that you are downloading matches the MD5 checksum that is on the web site, to ensure you are getting the right file.  Also, to ensure you are getting a valid ScreenOS file, you can load the image key, which will then do a digital image authentication upon boot up.  If it is not a valid ScreenOS image, it will reject loading of the new image.

I have the original image of ns50ns25.5.3.0r4.0 (5,077 KB) on my workstation that I used to flash the NS-50.  I have the imagekey.cer file installed on all our gear to authenticate the images uploaded, and this one checkes out as valid.

 

But when I tested, saving a copy of the device's firmware back to the same workstation, that's when it's coming down as 5,210 KB and the two files (original firmware, downloaded copy) have different MD5 hashes.

 

I have not tried re-flashing the device with the file I downloaded yet.  My concern is that it's either going to be an invalid image, or it may contain additional info such as license keys, di signatures, config, or whatever. 

 

I'm trying to save a copy in case the firmware is ever corrupted. (again)  This just happened to me earlier this month and since I hadn't saved a copy of the firmware used to update it previously-- never dreamed I would need to use it again-- I had to recover the device by flashing with the only image I had available-- a much older version.  Lesson learned: always keep an archive copy of whatever firmware is running on each device.

 

Advice?

Following up on my post from earlier this morning.....

 

I was reluctant to do this for fear of damaging my license keys or rendering the unit unbootable, but I saved a backup from a production firewall running a different (older) version of ScreenOS to TFTP.  Then I took a unit in the lab, booted from serial console, did the "Hit any key to run loader" option and uploaded the image saved from the other unit.

 

The lab unit booted up successfully, now running the older ScreenOS that's on the production unit and the firmware was authenticated as valid on boot.  The lab unit's original license keys, di sigs, etc. appear to be intact. 

 

So the only thing I can tentatively conclude from this is that while the file sizes (and thus MD5 hashes) are different between a firmware image downloaded from Juniper, and the resulting image of that same firmware "saved" back from the unit, the authenticity of the firmware image remains good-- and the backup does not (appear to) contain sigs, license keys, etc.

 

If I'm wrong, or missing something, please feel free to correct me. 

One more followup to my own post, if I may.....

 

When the firmware is saved from the Netscreen to TFTP, it is not in a form that can be re-loaded using the web UI's firmware update option without throwing all sorts of errors.  Whether it will reboot properly after all these errors, I have not tested.

 

However, if you connect to the serial console, use the "Hit any key to run loader" option during boot and use that utility to boot from a TFTP image (and then store it to flash) then it works without errors.  The firmware is also authenticated as valid.

 

So even though the firmware on the saved (from flash to TFTP) image is valid once uploaded back to the Netscreen, it's apparently in a format that won't play nicely with the web UI.

 

Just my extra $0.02.