WatchGuard Support Center

Knowledge Base - Article

Article

000009881
 Firebox M400/500 and Firebox M440 Upgrade Issues

Information
WatchGuard has identified an issue that affects a small number of Firebox M400/M440/M500 appliances deployed at customer sites. Because of the intermittent and rare nature of the failures, it has taken us several weeks to identify the true nature of the issue and the best resolution path.  

Which appliance does this apply to?
Only the Firebox M400, M440, and M500 appliances are affected. If you use any other WatchGuard appliance, you can stop reading now.

What type of failures can occur?
In Fireware v11.11.2, v11.11.4, and v11.11.4 Update 1, WatchGuard expanded the partition size on the Compact Flash card of Firebox M400/M440/M500 appliances. We have since identified that, on a very small percentage (less than 5%) of the Compact Flash cards, the repartitioning can cause the card to become unreadable. When the card is unreadable the Firebox stops working and cannot be recovered. This condition requires an RMA replacement of the appliance. Many of these appliances are deployed in Active/Passive FireClusters and, in such cases, the Passive unit would act as a redundant backup while the failed unit is replaced.

Is this fixed now?
Yes. In Fireware v11.11.4 Update 2 (build # 514824) and newer releases, we no longer expand the partition size. Specifically:
  • Firebox M400/M500 appliances that were previously installed with the affected Fireware versions must be upgraded to Fireware v11.12 Update 1 (build # 518719) or higher to fix the issue.  
  • For the Firebox M440, the fix is implemented upon upgrade to Fireware v11.12.1 or higher.    
Are there any problems on upgrade?
  • Firebox M400/M500: Several customers have reported that, if they have previously upgraded to Fireware v11.11.2, v11.11.4, or v11.11.4 Update 1, when they upgrade to Fireware v11.12 Update 1 or higher their Firebox booted into its factory-default state upon upgrade.
  • Firebox M440: The same issue can apply to a Firebox M440 upon first upgrade to Fireware v11.12.1 or higher.  
What can I do to mitigate the risk?
WatchGuard recommends that you upgrade your Firebox from a location that enables physical access to the default 10.0.1.1. IP address on Firebox Eth1 in the event that your Firebox  M400/M440/M500 is affected. Also make sure you back up your Firebox configuration and feature key before you upgrade so you can restore the Firebox if necessary.  

If I am on one of the affected releases, can I skip the upgrade to Fireware v11.12 U1/11.12.1 to avoid running into this issue?
Unfortunately, the potential for your Firebox to boot up in a default state after upgrade will persist through releases when you first upgrade from one of the impacted releases. For example, if your Firebox M440 runs Fireware v11.11.2 today, waiting for the release of Fireware v11.12.2 will not guarantee that you can avoid the problem. 

Could this happen every time that I upgrade the appliance?
No. After the Firebox is successfully upgraded to Fireware v11.12 U1 (M400/M500) or Fireware v11.12.1 (M440) the partitioning changes are removed. Future upgrades will not result in a potential reset of your Firebox to factory-default settings. This is a one-time fix.