cannot update fimware - You need a LiveSecurity key to upgrade your Firebox

hello, thanks
cannot seem to update my firebox t70, get message
"You need a LiveSecurity key to upgrade your Firebox
Click here for help"

and when i click here, i get taken to page
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/installation/version_upgrade_new_c.html?cshid=1041
and there is no mention of LiveSecurity.

given the recent security issue, really need to update ASAP.

thanks,
David

Comments

  • The firmware that fixes the Cyclops Blink problem will install on devices that have no Live Security.

    What firmware do you have now and to what version are you trying to upgrade?

    Gregg Hill

  • edited April 2022

    Hmm, my guess is that you are trying to go to 12.8, and that DOES require Live Security. At the bottom of that page, there is a link to older firmware that takes you to the Cyclops Blink fix here https://software.watchguard.com/SoftwareDownloads?familyId=a2R2A000002EW9zUAG

    Fireware 12.7.2 Update 2 will install on out-of-support devices.

    Gregg Hill

  • thanks,

    "Current Version: 12.5.6 (Build 633773)
    Latest Version: 12.8 (Build 657104) "

    wow, in over forty years of computing, never once was forced to pay for a firmware update.
    and given the disaster of watchguard's handling, would think that watchguard should be very embarrassed at the long-term reputational damage and do whatever is needed to repair that damage.

    the T70 is a supported device until 2025.

    thanks much,

  • thanks much, i updated to 12.7.2 Update 2.

    tho still very frustrated that i have to pay for firmware updates.

  • @davidneltzon said:
    thanks,

    "Current Version: 12.5.6 (Build 633773)
    Latest Version: 12.8 (Build 657104) "

    wow, in over forty years of computing, never once was forced to pay for a firmware update.
    and given the disaster of watchguard's handling, would think that watchguard should be very embarrassed at the long-term reputational damage and do whatever is needed to repair that damage.

    the T70 is a supported device until 2025.

    thanks much,

    Their firmware is not just mere firmware like updating a motherboard, a network card, etc., to get security fixes Their firmware updates often include a bunch of new features, as do other firewall vendors' products. I cannot imagine any other high-end firewall vendor being any different.

    If you only want support for firmware updates and warranty replacement and not the UTM stuff, that is WatchGuard Standard Support Renewal 1-yr for Firebox T70, part # WGT70201, for $315 or less.


    What "disaster of watchguard's handling" do you mean? Do you mean them quickly coming out with new firmware that fixes the issue and works to update, FOR FREE, at least as far back as a client's XTM 25 device running firmware 11.7.3? That is the oldest one I updated, and it required a free upgrade to 11.7.5 first, then the free Cyclops Blink firmware 12.1.3 Update 8, which included awesome new features in it. I updated my own old XTM 26 running 11.9.4, a T10, T15, T35, and two T50 units, all for free to their respective latest Cyclops Blink fix versions. I am ecstatic!

    Or do you mean that Cyclops Blink could only infect a device where its config had been changed from the safe default of NOT exposing the management ports to the Internet (WatchGuard's "handling" it was by not exposing the ports by default), to where about 1% of owners misconfigured their own devices and exposed those ports? That was not WatchGuard mishandling anything; that was user error.


    "do whatever is needed to repair that damage."

    I think that they did an outstanding job of giving free updates to potentially hundreds of thousands of owners of outdated devices. They DID do "whatever is needed to repair that damage" in my mind and the in the eyes of several clients who buy their own outdate devices.


    You stated in your original post, "given the recent security issue, really need to update ASAP." I have to ask, where have you been since their new Cyclops Blink firmware came out on February 23rd? Firmware 12.8 came out on March 17th, THREE WEEKS AFTER the most current firmware available, the free 12.7.2 Update 2 with the Cyclops Blink fix, was released. So, why didn't you "update ASAP" to 12.7.2 Update 2 in the THREE WEEKS between its release and when 12.8 came out? THREE WEEKS? I updated all of mine that were in use and my clients' devices on release day Feb 23rd, despite not having the vulnerable ports open to the Internet. I don't think that not getting a major feature-packed firmware upgrade to 12.8 unless one has Live Security is a problem.

    Why are you only now trying to upgrade to the security fix, SIX WEEKS after the free 12.7.2 Update 2 with the Cyclops Blink fix was released?

    I must be missing something here!

    Gregg Hill

  • thanks much for your help, but really, please, no need to be arrogant, save the attitude!

    i am a small-time tech for the small company, their previous tech ripped them off, over paying for the router and a dedicated computer just to manage the router.

    i am just trying to do good this small company NOW!

    crap attitude to pay for firmware!!!

    "SIX WEEKS"
    really, i need to monitor watchguard on a weekly basis for a major failures on their part.
    the world does not revolve around them and their major embarrassing security lapse!

    https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/

    shame on watchguard to charge for firmware updates.
    got my first computer in 1978, never, ever, ever got extorted to pay for firmware for any computer, operating system, hardware, ever ever ever and on top of it, to fix screw-ups from the firmware vendor!

    as for the 1%, that is just a BS claim by a company, no reason to believe that to be true based on their overall behavior.
    "Silently fixed authentication bypass remained a secret even after it was under attack."

    anyhoo, as for you personally, thanks much for your help and time.

  • https://www.watchguard.com/wgrd-resource-center/end-of-life-policy
    the T70 is end-of-life in "31 Dec 2025", should get firmware updates until then.
    never should be extorted to pay for firmware!

    really, just a small ask from a small time tech.

    and upon further meditation, seems to me that even micro$osft does not do this.

    for any client of mine, that purchased a computer with windows 7.
    free upgrade to windows 10,
    and then free upgrade to windows 11.

    and for that computer, if needed, a small amount of $$$ to upgrade RAM and a cheap SSD, the performance increase is huge.

    my point is that a small-time tech like me, is just trying to make it work for my small-time clients.

    again, thanks for your time.

  • My comments were not based on arrogance; they were based on surprise (shock?) that it has been so long since the fix was released and you now wanting to do it "ASAP". Sorry for the confusion. Truly. That caught me off guard.


    It was not a major failure on WatchGuard's part, as I pointed out. WatchGuard's default config protected against Cyclops Blink infections. The major failure was on the part of inexperienced admins who opened their management ports to the entire Internet. Unless the tech who set up your T70 opened those ports intentionally, even you are protected against Cyclops Blink without upgrading to the free fix firmware, so your demeanor that WatchGuard has a huge security threat potentially does not apply in your own situation. Have you checked your config to see if those ports are still not accessible as they are blocked in a default config?


    As for not knowing about it, I recommend that you sign up for security notices from each of your hardware vendors. You may want to sign up for CISA alerts, too: https://www.cisa.gov/free-cybersecurity-services-and-tools

    Just be ready to read...a lot.


    Also regarding knowing about it, I am a one-man shop and all of my clients are 15 users and less. I got an email about Cyclops Blink on release day, plus it was all over the news during the weeks afterwards. Heck, it came up on my Google News feed on my cell phone. I see regular news items about other vendors as well, including Sophos, Palo Alto, SonicWALL, Fortinet and more, with critical vulnerabilities. A fairly recent one was when I needed to help a friend whose client had an expired SonicWALL and there was no new firmware available without renewing its support licensing, and a critical vulnerability alert had been issued. I could not get new firmware, so, I just killed the external management that he had set up on it, because it was open to the whole Internet. That was on HIM, not SonicWALL, because the port is closed to the Internet by default, just like WatchGuard does. If you were a SonicWALL user, you'd probably be saying the exact same thing about them.

    There is a difference between typical free firmware updates on desktop computers and what all major firewall vendors do with their "firmware".


    "windows 7.
    free upgrade to windows 10,
    and then free upgrade to windows 11."

    Microsoft has Windows on over a billion computers. Of course they can afford to give free upgrades.

    Also, it was free from Win 7 to Win 10 for a limited time that expired years ago, despite still being able to upgrade. They'll still upgrade today from 7 to 10, but they are not legally licensed. Also, I'd be stunned if any of your computers that came with Win 7 can install Win 11 and run it normally.


    Due to hardware limitations, every firewall will get outdated even if firmware is free. That is why you see three different levels of firmware available on the software download site. Some devices just don't have the memory or CPU speed to do what the newer firmware can do. One cannot just pop open a firewall and add more memory and a cheap SSD to it to increase performance like you did with computers.

    I just think you'll find the same thing with other major firewall vendors.

    Anyway, enough on this topic.

    Gregg Hill

  • "Also, it was free from Win 7 to Win 10 for a limited time that expired years ago"

    not true, https://zdnet.com/article/heres-how-you-can-still-get-a-free-windows-10-upgrade/

    as i mentioned, i have made good money and done good for my clients.
    instead of spending a huge sum on a new computer, just free upgrade to win10,
    and if need be, add cheap ram and cheap ssd.

    thanks, be safe

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited April 2022

    Hi @davidneltzon

    The terms "LiveSecurity" and "Support" are used interchangeably. (We stopped using the term LiveSecurity and have been in the process of changing out our documentation to simply say Support.)
    You are required to have an active support contract to upgrade firewalls to new OS releases.

    If you have feedback on the support model, I'd suggest sharing it here:
    https://www.watchguard.com/wgrd-support/feedback

    If you'd like to keep up to date on firmware (and feature releases,) I'd suggest subscribing to the WatchGuard support blog at:
    https://www.watchguard.com/wgrd-blog

    It'd be rather disruptive for the firewall to download and install updates automatically. For customers and partners managing multiple firewalls, options like Management server and management in WatchGuard cloud allow you to schedule and upgrade firewalls on a schedule you pick that works best for your customers.

    Regarding Cyclops Blink, you can find more information here:
    https://www.watchguard.com/wgrd-news/blog/important-detection-and-remediation-actions-cyclops-blink-state-sponsored-botnet
    If you have any feedback or concerns related to WatchGuard's response, I would suggest using the same feedback link:
    https://www.watchguard.com/wgrd-support/feedback

    -James Carson
    WatchGuard Customer Support

  • @davidneltzon said:
    "Also, it was free from Win 7 to Win 10 for a limited time that expired years ago"

    not true, https://zdnet.com/article/heres-how-you-can-still-get-a-free-windows-10-upgrade/

    as i mentioned, i have made good money and done good for my clients.
    instead of spending a huge sum on a new computer, just free upgrade to win10,
    and if need be, add cheap ram and cheap ssd.

    thanks, be safe

    Microsoft's own response to that exact article was "So even though it is working you should still purchase a legit licence to cover these boxes."

    https://community.spiceworks.com/topic/2152054-can-i-still-get-the-windows-10-upgrade-for-free

    I'd love for you to be correct, but according to the Microsoft licensing department, that upgrade needs to be backed by a purchased license if it was done after the free time period. It used to say so on the upgrade page. Why on Earth they left that site up is beyond me, because is has caused a LOT of confusion.

    Gregg Hill

  • hello,

    You are required to have an active support contract to upgrade firewalls to new OS releases.

    so what is the cheapest contract possible to enable firmware updates for a non end-of-life device.

    thanks,

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @davidneltzon

    Renewals can be purchased via WatchGuard directly if you are in US/Canada. However, I would suggest inquiring with a WatchGuard reseller, as they're often less expensive. I've included the part numbers for each if you'd like to inquire elsewhere:

    WatchGuard Standard Support Renewal 1-yr for Firebox T70 - WGT70201
    via https://securityshop.watchguard.com $315.00 USD

    WatchGuard Standard Support Renewal 3-yr for Firebox T70 - WGT70203
    via https://securityshop.watchguard.com $825.00 USD

    You can find partners/resellers local to you via the website here:
    http://findpartner.watchguard.com/

    -James Carson
    WatchGuard Customer Support

  • You can also search on the Internet for the part number listed above.
    There are a number of online sites which will send you the license key via e-mail.

    Last I knew, there was a reinstatement fee if your support contract has lapsed for more than 30 days. And it was waived if one bought a security bundle, such as Basic or Total Security.
    Not sure if this is still the case or not, but the following article still states
    "If you renew within 30 days, there is no reinstatement fee."

    About WatchGuard Support
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/support/lss_about_c.html

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Bruce_Briggs
    I had to check on this, but they don't charge a fee anymore.

    The current policy is here:
    https://www.watchguard.com/wgrd-support/support-levels/terms-conditions

    I'll ask the documentation team to update the page you linked.

    -James Carson
    WatchGuard Customer Support

  • Thanks, James

  • James seems reliable here.
    Can you answer why the OS upgrade is denied when the feature is listed as never expiring? This is from the webui, system-feature key page.

    FEATURE - VALUE - EXPIRATION - TIME LEFT
    Model Upgrade - T70 - Never

    Currently on 12.8.1 and tried to upg to 12.8.2.
    main feature key expired in June.
    Thank you.

  • The important Feature name here is Support.
    In your case it should be shown as Expired, which means that you can't upgrade your firewall to a newer OS version.

    The "Model Upgrade" feature does not show in WSM Policy Manager.
    No clue what this is supposed to indicate. It clearly has nothing to do with an ability to do an OS upgrade.

    In some much older firewall models, one could upgrade a firewall from a less capable version/model to a higher with with a just a Feature option. I have not seen this design in WG firewalls for many years.

    I expect that James will comment here.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @HiPo_n_Oz
    The line that controls this is the one referring to support. It's
    Feature: LIVESECURITY@Aug-25-2023 (the date signifying when it expires/expired.)

    The model line defines what model the firewall is. On some older firewalls (most recently the XTM series) there were related models you could upgrade to. That line is mostly used to aid in configuration migrations anymore, as it automatically sets the model when you paste in the feature key.

    LiveSecurity, or just Support, includes quite a few features including but not limited to:
    -Advance hardware replacement should your device fail.
    -Access to our support team via support cases using the web or phone.
    -Software updates, bugfixes, and the new features that come along with them.

    You can find more about all of that here:
    (Support Services)
    https://www.watchguard.com/wgrd-support-services/overview

    What you're seeing is expected, and with the exception of 12.7.2 that was released to everyone running supported devices (to help with mitigation for Cyclops Blink,) you need to have an active support contract to run the latest versions of Fireware.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.