We have identified an issue affecting a small subset of devices, which may experience reboot loops, ZySH daemon failures, or CLI access issues during login. Additionally, the system LED may flash as an indication of the problem.
Please note that this is not related to a CVE or security attack.
Symptom:
The App Patrol signature release V1.0.0.20250123.0 may create parsing error on device for On-premises mode, application patrol daemon will not work well after updating this new signature though the rest of UTM features keep running. However, the worst case is that device may get stuck if device did rebooting further no matter manually or by schedule. If the device has the following symptoms, the device is probably affected.
- Device Error: Wrong CLI command, device timeout or device logout.
- Unable to login to ATP/USG FLEX via web GUI: 504 Gateway timeout.
- CPU usage is high.
- In Monitor > Log, the message "ZySH daemon is busy" appeared.
- Unable to enter any commands on console.
- Coredump messages appear on console.
Solution:
The App Patrol signature release V1.0.0.20250123.0 has been removed.
New urgent date firmware is available to recover the affected device.
Model | Firmware link | Model | Firmware link |
---|---|---|---|
ATP 100 | Download | ||
ATP 100W | Download | ||
USG FLEX 100 | Download | ATP 200 | Download |
USG FLEX 100W | Download | ATP 500 | Download |
USG FLEX 100AX | Download | ATP 700 | Download |
USG FLEX 200 | Download | ATP 800 | Download |
USG FLEX 500 | Download | ||
USG FLEX 700 | Download |
Recovery steps:
Follow the instructions to recover the affected device.
Step 1. Configuration File Backup
- Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.
- Enter atkz -b
- Enter atgo
- Currently, your ATP/FLEX is reset to default but the startup-config.conf is already backed up. Connect your computer to the ATP/USG FLEX's lan1 to get DHCP IP address 192.168.1.33 directly.
- On your computer, open cmd and enter ftp 192.168.1.1. Login with admin and password 1234.
Enter cd /conf and get startup-config-back.conf to download the backup file. - You can find the backup file on your computer.
Step 2. Firmware Recovery
- Connect the device directly via the console port using a terminal emulation program. Reboot the device and enter debug mode.
- Enter atkz -f -l 192.168.1.1 to configure FTP server IP address.
- Enter atgof to bring up the FTP server.
- Use FTP to upload the firmware package. Keep the console session open in order to see when the firmware update finishes.
- Set your computer to use a static IP address from 192.168.1.2 ~ 192.168.1.254.
- Connect your computer to the ATP/USG FLEX's the first Ethernet port. For example, the first Ethernet port of USG FLEX 500 is P2.
- Use an FTP client on your computer to connect to ATP/USG FLEX. This example uses the ftp command in the Windows command prompt. The ATP/USG FLEX’s FTP server IP address for firmware recovery is 192.168.1.1 .
- Log in without user name (just press enter).
- Set the transfer mode to binary "bin" and transfer the firmware file from your computer to ATP/USG FLEX.
- The console session displays “Firmware received” after the FTP file transfer is complete. Then you need to wait while ATP/USG FLEX recovers the firmware (this may take up to 4 minutes). The console session displays “done” when the firmware recovery is complete. Then the ATP/USG FLEX automatically restarts.
- Login to ATP/USG FLEX's web GUI, upload and apply the backup configuration file.
Step 3. Update App-Patrol signature to 1.0.0.20250102.0 manually
Go to CONFIGURATION > Licensing > Signature Update and update App-Patrol signature manually. Make sure the version is 1.0.0.20250102.0.
Comments
0 comments
Please sign in to leave a comment.