Firmware Update

Description of the update process on the UTM

Last adaptation to the version: 14.0.2 (02.2025)

New:

PopUp dialog appears on first login after an update
Download of Beta versions can be configured.

notempty

This article refers to a Resellerpreview

Extras Firmware Updates

Introduction

In order for the UTM to receive updates, it must be able to reach the Internet and DNS resolution must work

If the UTM has no internet access, an Update via USB stick can be installed.

The UTM checks every 120 minutes whether a new update is available on the update servers
Due to the high number of UTMs that want to download an update, they are distributed over a certain period of time
This distribution is carried out by the update servers
The update will then be downloaded automatically
The UTM always downloads a complete firmware image for the corresponding version
For cluster devices, please refer to the Cluster Management Wiki.

Beta Channel

Our Reseller Previews are now the Beta-Channel
The Beta Channel provides access to pre-release versions of our software to test new features in advance
Beta Updates are available for all licenses
Even Beta versions undergo inital testing before being released.
However, these versions are still in development and may contain bugs
Configuration: Once via the dialog after updating to v14.0.2 or under the Firmware Update menu.

notempty

NFR licenses have previously automatically received Reseller Previews.
This can now be manually configured with Enable Beta Updates: Ein

Planning update

Automatic updates can be scheduled locally on the UTM.
Configurations for automatic updates from the USC are transferred to the UTM.

Update detection

UTM v12.6.1 Firmware Updates Update heruntergeladen Dialog-en.png

Update notification

If the UTM has detected a new version on the update servers and has been completely downloaded, a message is displayed on the administration interface with the next login. If the message is confirmed with Yes, a forwarding to the menu Extras Firmware Updates takes place.

Firmware Update

Caption	Value	Description	Firmware Updates UTMuser@firewall.name.fqdnExtras Renew Download the latest firmware
Installed version
Version:	The currently running version
Status:	Active
Status:	Disabled for dry run
Available version
Beta Updates notempty New as of v14.0.1	Off	When activating On, beta versions will also be downloaded and used for updates. This function can be enabled or disabled for all license types notempty NFR licenses have previously automatically received reseller previews. This can now be manually configured with Beta-Updates: Aus notempty The Beta Channel provides access to pre-release versions of our software to test new features in advance. These versions are still in development and may contain bugs.
Version:	Installable version
Status:	Newer version
	Older versions	For rollback
	Aktiv dry run	notempty Do not perform a factory reset during the dry run!
Start dry run	Start update process In case of failure, the old version is started after rebooting the UTM. During an update/rollback, the UTM is restarted once. This interrupts all connections to the UTM (admin interface, SSH, VPN, etc.).
Cancel dry run	The previously installed version is reactivated. The UTM restarts in the process.
Complete dry run	The version is set as the future boot version.
Automatic updates
Status:	Off	When activated, updates are automatically installed, started and finalised. An equivalent feature can be configured in the Securepoint Unified Security Portal. See wiki there)
Week days:	MonThuWedThuFrSatSun	The days of the week on which the updates are to be installed and started automatically.
From:	2 o'clock	The time from which the updates should be automatically installed and started. The process is not started exactly at this time. Instead, the process is started within the configured hour and may take some time.
Additional audit endpoint:		Additional endpoint of a server (host name or IP address) whose accessibility should also be tested before finalisation. ‍ Before a dry run is started, i.e. even after an update has been installed and started (before it is finalised), the appliance will test whether the Securepoint update server can be reached. If a test fails, no firmware update is performed and, if necessary, a rollback to the previous version is carried out.
Port:	443	The port to the additional test endpoint

Renew	Updates the display of the version available on the UTM.
Download the latest firmware	Manual download of the latest firmware, even if this UTM is not yet scheduled in the normal distribution. Can only be executed every 10 minutes.
Save	Saves the settings

Automatic updates with CLI

CLI code to activate the feature
extc value set { application spupdater variable AUTO_UPDATE_ENABLE value [ "1" ] }
By default, the feature is "Off". When activated without further configuration, daily updates are enabled from 2 a.m.
If the Securepoint Update Server is not reached after the update, a reboot with the previous firmware is performed.

CLI code for configuring the auto-update function:
extc valuelist set [ { application "spupdater" values [ { variable "AUTO_UPDATE_ENABLE" value [ "1" ] } { variable "AUTO_UPDATE_TIME" value [ "3 MON,FRI,SUN" ] } { variable "AUTO_UPDATE_HOST_CHECK" value [ "pruefpunkt.local" ] } { variable "AUTO_UPDATE_HOST_PORT_CHECK" value [ "443" ] } ] } ]

For better readability with line breaks:

extc valuelist set [ { application "spupdater" 
values [ { variable "AUTO_UPDATE_ENABLE" value [ "1" ] } 
	 { variable "AUTO_UPDATE_TIME" value [ "3 MON,SAT,SUN" ] } 
	 { variable "AUTO_UPDATE_HOST_CHECK" value [ "pruefpunkt.local" ] } 
	 { variable "AUTO_UPDATE_HOST_PORT_CHECK" value [ "443" ] } 
	] } ]

(Not copy-paste capable)

Variable	Value	Description
AUTO_UPDATE_ENABLE	1	Enables the feature: value [ "1" ] or disables it: value [ "0" ]
AUTO_UPDATE_TIME	h d,d,d	Time for the update: hour followed by a space and a list of weekdays (comma-separated, without spaces) For example: 15 MON,SAT,SUN or 2 * ‍ MON - Monday TUE - Tuesday WED - Wednesday THU - Thursday FRI - Friday SAT - Saturday SUN - Sunday * - Every weekday
AUTO_UPDATE_HOST_CHECK	pruefpunkt.local	Endpoint of a server whose reachability should also be tested before finalizing, in addition to the Securepoint Update Server IP or hostname optionally settable
AUTO_UPDATE_HOST_PORT_CHECK	443	The port for the additional check endpoint

Firmware Updates UTMuser@firewall.name.fqdn Renew Download the latest firmware Display of values under Extras Firmware Updates Area Automatic Updates

Display of values in the CLI

extc value get { application "spupdater" } application|variable |value -----------+---------------------------+----- spupdater |AUTO_UPDATE_ENABLE |1 |AUTO_UPDATE_HOST_CHECK |pruefpunkt.local |AUTO_UPDATE_HOST_PORT_CHECK|443 |AUTO_UPDATE_POST_CHECK |0 |AUTO_UPDATE_RUN |0 |AUTO_UPDATE_TIME |3 MON,SAT,SUN

‍

For updates from versions prior to 12.5.0, see the previous version of this article

Complete update

Acceptance of License Agreement and Privacy Policy Acceptance of License Agreement and Privacy Policy
After the update and a re-login to the administration web interface, the license agreement is displayed. This must be signed Accept. If you decline Decline the previous version will be reactivated. The privacy policy is displayed. This must be signed Accept. If you decline Decline the previous version will be reactivated.	LICENCE AGREEMENT - READ CAREFULLY! - UTMuser@firewall.name.fqdn Accept Decline Accept Eula PRIVACY POLICY - READ CAREFULLY! - UTMuser@firewall.name.fqdn Accept Decline Accept privacy policy

Changelog

The changelog with the most important changes is displayed. With Yes, it can already be specified that this version will be used during the next startup. With Ask again later, the previous version will be used initially when restarting.		Changelog--cap

Dry run Dry run
To carry out a test run, click on Available version then click on the Start test run button After restarting the UTM, a changelog window appears after logging in. Click on the Request again later button there The status appears. active test run for the currently active firmware version Accordingly, a status disabled for test run for the installed firmware version The Complete test run button turns the firmware version being tested into the installed firmware version, the ✖ Cancel test run button cancels the test run notempty No factory reset may be carried out during the test run. notempty We recommend clearing the browser cache after the update.		Firmware Updates UTMuser@firewall.name.fqdnExtras Renew Download the latest firmware Finalize dry run

Rollback Rollback
A rollback sets the firmware to the last installed version. Under Extras Firmware Updates Area Available Version a version with the Status Old version must be listed Click on the Start test run button After restarting the UTM, a changelog window appears after logging in. Click on the Yes button there, or After restarting the UTM, click on the Request again later button in the changelog window and click on the Complete test run button in the firmware update window notempty If a Newer version has already been found, a rollback is only possible via CLI. notempty Configuration changes in the active version are reset in the process.		Firmware Updates UTMuser@firewall.name.fqdnExtras Renew Download the latest firmware Rollback

Troubleshooting

The system does not boot with the new firmware version

If the system does not boot properly after a restart, a reboot can re-enable the previous version.
The reboot can be done via the CLI (system reboot), the web interface (if accessible under Restart or by pressing the power switch at the back of the case.

Certain features do not behave as desired after the update

If the UTM does not work as desired after the update, a rollback can be performed.

If proper operation has not yet been confirmed, proceed as described above.

Otherwise under Extras Firmware updates in the section

Available version

activate the Older version with Start dry run.

notempty

Please create a support ticket with an error description as detailed as possible. → how to make a ticket

A new version is not downloaded automatically

A valid license is required.
The time of the system must not deviate too much.
The update server is not accessible. e.g. due to a too large packet size (MTU), this must be adjusted if necessary.
The automatic update process is distributed over a certain period of time for load distribution (see Changelog): Planned rollout period.
Update does not load and the following error message can be seen in the log:
2023-01-09T09:51:17.302+01:00|spupdater|22223|downloading do-update.sh: failed
Additionally, the configuration cannot be saved or a new configuration cannot be created.
Solution:
- Check storage space
- Check the writability of the partition/hard disk.

Check availability of the support server

The following command can be executed from the root shell
root@fw:~# curl update-001.v12.utm.spnoc.de

Result	Description
curl: (6) Could not resolve host: update-001.v12.utm.spnoc.de	DNS problem
curl: (7) Error	Failed to connect() to host or proxy TCP Verbindung schlägt Fehl. Falsche Route, Verbindung wird durch eine andere Firewall blockiert o.ä.

Introduction

Beta Channel

Planning update

Update detection

Firmware Update

Complete update

Acceptance of License Agreement and Privacy Policy

Changelog

Dry run

Rollback

Troubleshooting

The system does not boot with the new firmware version

Certain features do not behave as desired after the update

A new version is not downloaded automatically

Check availability of the support server