Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Upgrading BIOS and Firmware (SRX only)

You can upgrade BIOS, back up the BIOS, and upgrade automatically on your SRX Series Firewalls.

Understanding BIOS Upgrades on SRX Series Firewalls

Understanding Manual BIOS Upgrade Using the Junos CLI

For these SRX Series Firewalls, the BIOS consists of a U-boot and the Junos loader. The SRX240, SRX300, and SRX320, and SRX650 Service Gateways also include a U-shell binary as part of the BIOS. Additionally, on SRX100, SRX110, SRX210, SRX220 and SRX240, SRX300, SRX320, SRX340, SRX345, and SRX380 Service Gateways, a backup BIOS is supported which includes a backup copy of the U-boot in addition to the active copy from which the system generally boots up.

Table 1 Lists the CLI commands used for manual BIOS upgrade.

Table 1: CLI Commands for Manual BIOS Upgrade

Active BIOS

Backup BIOS

request system firmware upgrade re bios

request system firmware upgrade re bios backup

BIOS upgrade procedure:

  1. Install the jloader-srxsme package.

    1. Copy the jloader-srxsme signed package to the device.

      Note:

      The version of the jloader-srxsme package you install must match the version of Junos OS.

    2. Install the package using the request system software add <path to jloader-srxsme package> no-copy no-validate command.

      Note:

      Installing the jloader-srxsme package places the necessary images under directory/boot.

  2. Verify that the required images for upgrade are installed. Use the show system firmware to verify that the correct BIOS image version is available for upgrade.

  3. Upgrade the BIOS (Active and backup) image.

    Active BIOS:

    1. Initiate the upgrade using the request system firmware upgade re bios command.

    2. Monitor the upgrade status using the show system firmware command.

      Note:

      The device must be rebooted for the upgraded active BIOS to take effect.

    Backup BIOS:

    1. Initiate the upgrade using the request system firmware upgade re bios backup command.

    2. Monitor the upgrade status using the show system firmware command.

Understanding Auto BIOS Upgrade Methods on SRX Series Firewalls

The BIOS version listed in the bios-autoupgrade.conf file is the minimum supported version. If the current device has a BIOS version earlier than the minimum compatible version, then the auto BIOS upgrade feature upgrades the BIOS automatically to the latest version.

The BIOS upgrades automatically in the following scenarios:

  • During Junos OS upgrade through either the J-Web user interface or the CLI (using the request system software add no-copy no-validate software-image). In this case, only the active BIOS is upgraded.

  • During loader installation using TFTP or USB (using the install tftp:///software-image command). In this case, only the active BIOS is upgraded.

  • During system boot-up. In this case, both the active BIOS and the backup BIOS are upgraded.

Disabling Auto BIOS Upgrade on SRX Series Firewalls

The auto BIOS upgrade feature is enabled by default. You can disable the feature using the CLI in configuration mode.

To disable the automatic upgrade of the BIOS on an SRX Series Firewall, use the chassis routing-engine bios command as following:

Note:

The command disables automatic upgrade of the BIOS only during Junos OS upgrade or system boot-up. It does not disable automatic BIOS upgrade during loader installation.

Starting in Junos OS Release 15.1X49-D70 and in Junos OS Release 17.3R1, the set chassis routing-engine bios uninterrupt command is introduced on SRX300, SRX320, SRX340, and SRX345 devices to disable user inputs at U-boot and boot loader stage. The set chassis routing-engine bios uninterrupt command is introduced in Junos OS Release 20.1R1 for SRX380 Series devices.

Starting in 22.4R1, the set chassis routing-engine bios uninterrupt is available on vSRX3.0 devices.

Starting in Junos OS Release 15.1X49-D120, the set chassis routing-engine bios uninterrupt command can be used on SRX300, SRX320, SRX340, and SRX345, devices to disable user inputs at U-boot, boot loader and and Junos-Kernel boot stage. The set chassis routing-engine bios uninterrupt command is introduced in Junos OS Release 20.1R1 on SRX380 Series devices.

To disable the user inputs at u-boot, boot loader and Junos Kernel boot stage, use the chassis routing-engine bios command as following:

Note:

To disable user inputs at U-boot and boot loader stage using the chassis routing-engine bios command, SRX Series Firewalls must have u-boot version of v3.2 or a higher version, and loader version of v2.9 or a higher version.

You can check the version number at console output when your device boots up as shown in the following sample:

You can also check the u-boot and loader version at Junos shell prompt as shown the following sample:

Warning:

On SRX Series Firewalls, if both set system ports console insecure and set chassis routing-engine bios uninterrupt options are configured, there is no alternative recovery method available in case Junos OS fails to boot and the device might become unusable.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D70
Starting in Junos OS Release 15.1X49-D70 and in Junos OS Release 17.3R1, the set chassis routing-engine bios uninterrupt command is introduced on SRX300, SRX320, SRX340, and SRX345 devices to disable user inputs at U-boot and boot loader stage
15.1X49-D120
Starting in Junos OS Release 15.1X49-D120, the set chassis routing-engine bios uninterrupt command can be used on SRX300, SRX320, SRX340, and SRX345, devices to disable user inputs at U-boot, boot loader and and Junos-Kernel boot stage