Updating firmware

New versions of CPE device software are distributed by Kaspersky in the form of firmware. You can download a TAR.GZ archive with the firmware from the the /cpe directory of the distribution kit. You can update the firmware on a CPE device in three ways:

• Manually updating the CPE device firmware without using the orchestrator web interface.
• Scheduling firmware updates on selected CPE devices. In this case, you upload the firmware to the orchestrator web interface, select the CPE devices on which you want to update the firmware, and then update the firmware. A firmware update task is automatically created in the task scheduler.
• Scheduling firmware updates on CPE devices with specific tags. In this case, you upload the firmware to the orchestrator web interface, assign tags to CPE devices on which you want to update the firmware, and then create a firmware update task in the task scheduler. When creating the task, you need to specify the tags you assigned to CPE devices.

The CPE device restarts during the firmware update process.

You can view the table of firmware uploaded to the web interface in the SD-WAN→Firmware section. Information about firmware is displayed in the following columns of the table:

• Version is the firmware version.
• Size (MB) is the size of the firmware archive in megabytes.
• SHA256 is the hash of the firmware.
• Architecture is the instruction set architecture (ISA) of the firmware.
• Release date is the firmware release date.
• Model is the model of CPE devices with which the firmware is compatible.

The actions you can perform with the table are described in the Managing solution component tables instructions.

Manually updating firmware on a CPE device

When following these steps, you are prompted to enter the CPE device credentials. After registration, the default password of the CPE device is automatically changed. You can view the CPE device password in the orchestrator web interface.

To manually update the firmware on a CPE device:

1. Download the firmware archive from the /cpe directory of the distribution kit to the administrator device, for example, your laptop. If you do not know which firmware version you need to install on the CPE device, use the table of correspondence of CPE device models with firmware versions.
2. Connect the administrator device to the LAN port of the CPE device.

   The administrator device gets the IP address of the default gateway via DHCP. The received IP address of the default gateway is the IP address of the CPE device.

3. Connect to the CPE device over SCP, for example using WinSCP. To connect over SCP, specify the IP address and enter the credentials of the CPE device.
4. Place the firmware archive in the /tmp directory.
5. Connect to the CPE device over SSH. To connect over SSH, specify the IP address and enter the credentials of the CPE device.
6. Change to the /tmp directory:

   cd /tmp/

7. Update the firmware on the CPE device in one of the following ways:
   • If you want to leave the CPE device settings unchanged after updating the firmware, run the following command:

     sysupgrade knaas-<firmware archive name>

   • If you want to reset the CPE device to factory settings after updating the firmware, run the following command:

     sysupgrade -n knaas-cpe<firmware archive name>

   When a CPE device is reset to factory settings, it is disconnected from the orchestrator. To reconnect the CPE device to the orchestrator, you need to automatically register (ZTP) the CPE device.

The new firmware version is installed on the CPE device, then the CPE device is restarted. By default, the IP address of the CPE device is unchanged, and DHCP is enabled on LAN ports.

Uploading firmware to the orchestrator web interface

To upload firmware in the orchestrator web interface:

1. Download the firmware archive from the /cpe directory of the distribution kit to your local device. If you do not know which firmware version you need to install on the CPE device, use the table of correspondence of CPE device models with firmware versions.
2. In the menu, go to the SD-WAN → Firmware section.

   A table of firmware is displayed.

3. In the upper part of the page, click + Firmware.
4. Enter the path to the archive with the firmware. When specifying a path, you can select multiple archives at the same time.

The firmware is uploaded and displayed in the table.

Scheduling firmware updates on selected CPE devices

To create a scheduled firmware update task on selected CPE devices:

1. In the menu, go to the SD-WAN → CPE section.

   A table of CPE devices is displayed.

2. Proceed with the scheduled firmware update in one of the following ways:
   • If you want to perform a scheduled firmware update on an individual CPE device, click the CPE device and under Actions, click Update firmware.
   • If you want to perform a scheduled firmware update on multiple CPE devices, select the check boxes next to relevant CPE devices and in the upper part of the table, click Actions → Update firmware.

   Obsolete firmware is highlighted in orange in the SW version column of the table of CPE devices. You can also find CPE devices with outdated firmware versions using the Need update filter in the upper part of the table.

3. This opens a window; in that window, in the Task name field, enter the name of the scheduled task.
4. In the Version drop-down list, select the uploaded firmware. If you do not know which firmware version you need to install on the CPE device, use the table of correspondence of CPE device models with firmware versions.
5. In the Scheduled task execution date field, enter the date and time when you want to run the task. By default, the date and time specified is the date and time when you started creating the task.
6. If you want to reset the CPE device to factory settings after updating the firmware, clear the Save CPE settings check box. If the check box is selected, your existing CPE device settings are not modified after a firmware update. This check box is selected by default.

   When a CPE device is reset to factory settings, it is disconnected from the orchestrator. To reconnect the CPE device to the orchestrator, you need to automatically register (ZTP) the CPE device.

7. The Force update check box lets you force the firmware update, even if the CPE's internal check shows that the new firmware is incompatible with the old one. This check box is cleared by default.
8. Click Next.

   Two tables of CPE devices are displayed. Firmware of CPE devices in the upper table is updated. Firmware of CPE devices in the lower table is not updated. Information about CPE devices is displayed in the following columns of the table:

   • DPID is the DPID of the CPE device.
   • Model is the model of the CPE device.
   • Name is the name of the CPE device.
   • SW version is the firmware version of the CPE device.
   • Tenant is the tenant to which the CPE device has been added.
   • Reason is the reason why the firmware cannot be updated. This column is displayed only in the lower table.

   If the upper table contains CPE devices on which you do not want to update the firmware, you can move these CPE devices to the lower table.

9. Click Schedule.

The firmware update task is created and displayed in the task table. The status of the tasks is displayed in the Status column. If the firmware update task finishes successfully, its status changes to Done.

Scheduling firmware updates on CPE devices with specific tags

To create a scheduled firmware update task on CPE devices with specific tags:

1. In the menu, go to the Scheduler section.

   The table of tasks is displayed.

2. In the upper part of the page, click + Task.
3. This opens a window; in that window, in the Type drop-down list, select Firmware update.
4. In the Task name field, enter the name of the task.
5. In the Version drop-down list, select the uploaded firmware. If you do not know which firmware version you need to install on the CPE device, use the table of correspondence of CPE device models with firmware versions.
6. In the Scheduled task execution date field, enter the date and time when you want to run the task. By default, the date and time specified is the date and time when you started creating the task.
7. If you want to reset the CPE device to factory settings after updating the firmware, clear the Save CPE settings check box. If the check box is selected, your existing CPE device settings are not modified after a firmware update. This check box is selected by default.

   When a CPE device is reset to factory settings, it is disconnected from the orchestrator. To reconnect the CPE device to the orchestrator, you need to automatically register (ZTP) the CPE device.

8. The Force update check box lets you force the firmware update, even if the CPE's internal check shows that the new firmware is incompatible with the old one. This check box is cleared by default.
9. In the Tags field, enter tags assigned to CPE devices on which you want to update the firmware. Obsolete firmware is highlighted in orange in the SW version column of the table of CPE devices. You can also find CPE devices with outdated firmware versions using the Need update filter in the upper part of the table.
10. Click Next.

    Two tables of CPE devices are displayed. Firmware of CPE devices in the upper table is updated. Firmware of CPE devices in the lower table is not updated. Information about CPE devices is displayed in the following columns of the table:

    • DPID is the DPID of the CPE device.
    • Model is the model of the CPE device.
    • Name is the name of the CPE device.
    • SW version is the firmware version of the CPE device.
    • Tenant is the tenant to which the CPE device has been added.
    • Reason is the reason why the firmware cannot be updated. This column is displayed only in the lower table.

    If the upper table contains CPE devices on which you do not want to update the firmware, you can move these CPE devices to the lower table.

11. Click Create.

The firmware update task is created and displayed in the table. The status of the tasks is displayed in the Status column. If the firmware update task finishes successfully, its status changes to Done.

Restoring firmware of a KESR-M1 CPE device

You can restore the firmware and reset a KESR-M1 CPE device to factory settings if you have lost the credentials of that CPE or if you encounter a problem with the firmware.

When a CPE device is reset to factory settings, it is disconnected from the orchestrator. To reconnect the CPE device to the orchestrator, you need to automatically register (ZTP) the CPE device.

To restore the firmware of a KESR-M1 CPE device:

1. Download the firmware archive from the /cpe directory of the distribution kit to the administrator device, for example, your laptop. If you do not know which firmware version you need to install on the CPE device, use the table of correspondence of CPE device models with firmware versions.
2. Extract the firmware archive to get the firmware in BIN format.
3. Power on the CPE device with factory firmware:
   1. Disconnect the power cable of the CPE device.
   2. Connect the power cable and press and hold the RESET button on the CPE device for 10 seconds.

   The CPE device powers on with the factory firmware.

4. Connect the administrator device to the LAN port of the CPE device.

   The administrator device gets an IP address and the IP address of the default gateway in the 192.168.1.0/24 subnet via DHCP.

5. In the address bar of the browser on the administrator device, enter 192.168.1.1 and press Enter.

   This opens the CPE device firmware upload page.

6. Click the firmware upload button and specify the path to the firmware in BIN format. You got the firmware in BIN format at step 2 of these instructions.

The new firmware version is installed on the CPE device, then the CPE device is restarted. By default, the IP address of the CPE device is 192.168.7.1, and DHCP is enabled on LAN ports.

Restoring firmware of a KESR-M2-5 CPE device

You can restore the firmware and reset a KESR-M2-5 CPE device to factory settings if you have lost the credentials of that CPE or if you encounter a problem with the firmware.

When a CPE device is reset to factory settings, it is disconnected from the orchestrator. To reconnect the CPE device to the orchestrator, you need to automatically register (ZTP) the CPE device.

To restore the firmware of a KESR-M2-5 CPE device:

1. Download the firmware archive from the /cpe directory of the distribution kit to the administrator device, for example, your laptop. If you do not know which firmware version you need to install on the CPE device, use the table of correspondence of CPE device models with firmware versions.
2. Extract the firmware archive to get an archive in IMG.GZ format.
3. Unpack the IMG.GZ archive to get the firmware image in IMG format.
4. Use the IMG firmware to create a bootable USB drive using disk image writing software such as BalenaEtcher.
5. Connect the administrator device to the CPE device with a console cable and insert the USB drive into the USB port of the CPE device.
6. Specify the settings for establishing a console session with the CPE device on the administrator device, for example, using the PuTTY application, and do the following:
   • Specify the communications port (COM port) number of the administrator device.
   • Specify 115200 as the session speed.
7. Disconnect and reconnect the power cable of the CPE device. Press F7 or F11 while the CPE device is powering on.
8. This opens a menu; in the menu, select the USB drive and press Enter.

   The CPE device boots from the USB drive.

9. Connect the administrator device to the LAN port of the CPE device.

   The administrator device gets an IP address and the IP address of the default gateway in the 192.168.7.0/24 subnet via DHCP.

10. Connect to the CPE device over SCP, for example using WinSCP. To connect over SCP, specify the IP address and enter the default credentials of the CPE device.
11. Place the firmware in IMG format in the /tmp directory.
12. Connect to the CPE device over SSH or establish a console session with the CPE device. To connect over SSH or establish a console session, specify the IP address and enter the default credentials of the CPE device.
13. Change to the /tmp directory:

    cd /tmp/

14. Copy the firmware image in IMG format to /dev/sda:

    dd if=<name of the firmware IMG file> bs=1M of=/dev/sda

15. Restart the CPE device by running the following command:

    reboot

The new firmware version is installed on the CPE device, then the CPE device is restarted. By default, the IP address of the CPE device is 192.168.7.1, and DHCP is enabled on LAN ports.

Correspondence of CPE device models with firmware versions

The table below shows the correspondence of CPE device models with the supported firmware versions.

Page top

Deleting firmware

You cannot delete firmware that is being used in a scheduled task.

Deleted firmware cannot be restored.

To delete firmware:

1. In the menu, go to the SD-WAN → Firmware section.

   A table of firmware is displayed.

2. Select check boxes next to firmware that you want to delete.
3. In the upper part of the table, click Actions → Delete.
4. In the confirmation window, click Delete.

The firmware is deleted and is no longer displayed in the table.