System Integrity Checks

The Firebox uses a cryptographic signature to verify the integrity of the appliance each time the Firebox boots, and the integrity of the upgrade file before each software upgrade. Integrity checks make sure that system files are valid and have not been corrupted.

These Fireware versions support integrity checks for different Firebox models:

  • Fireware v12.7.2 Update 2 and higher — Firebox T20, T40, T55, T70, T80, M270, M290, M370, M390, M400, M440, M470, M500, M570, M590, M670, M690, M4600, M4800, M5600, M5800, Firebox Cloud, FireboxV
  • Fireware v12.5.9 Update 2 and higher — Firebox T10, T15, T30, T35, T50, M200, M300
  • Fireware v12.1.3 Update 8 and higher — XTM 25, 26, 33, 330, 515, 525, 535, 545, 810, 820, 830, 850, 860, 870, 1050, 1520, 1525, 2050, 2520, XTMv

After you upgrade to a Fireware version that includes system integrity checks, you cannot downgrade to a Fireware version that is not signed by WatchGuard.

Automatic System Integrity Checks

The Firebox runs these system integrity checks automatically:

Boot Time

The public key is installed with the appliance image. When the Firebox boots, it uses the public key to verify the integrity of most files and directories on the appliance, before it mounts the root file system. If the integrity check fails, the Firebox immediately shuts down.

System integrity checks can increase boot time for models with less memory, such as Firebox T10 and T15 devices.

When the Firebox shuts down because an integrity check fails:

  • The boot process halts but power stays on.
  • For most device models, the Power indicator is green, the Arm indicator is red, and the other indicators are off.
  • All interfaces are disabled.
  • You cannot connect to the Firebox to see status.
  • An error appears in the serial console.

To verify that an integrity check failure caused the shut down, you can connect to the serial console while you reboot the Firebox. If the integrity check fails, the error Error: integrity check failed appears in the console before the system shuts down. For information about how to connect over the console port, see the Reset a Firebox or XTM device over the console port Knowledge Base article.

If the Firebox shuts down because of an integrity check failure at boot time, follow these steps to try to recover the device:

  1. Start the Firebox in recovery mode. For more information, see Use Recovery Mode.
  2. Use the WSM Quick Setup Wizard to update your Firebox and create a new default configuration. For more information, see Run the WSM Quick Setup Wizard.
  3. Restore a backup image to the device. For more information, see Restore a Firebox Backup Image.

To automatically restore a specific backup image when the device starts in recovery mode, see Automatically Restore a Backup Image from a USB Drive.

If these recovery steps fail, contact Support.

Upgrade

When you select a Fireware upgrade file to install, the Firebox looks in the file to make sure it contains a cryptographic signature. If the cryptographic signature is present, the Firebox uses the public key from the previously installed image to verify the relevant portion of the upgrade file. If the Firebox cannot verify the signature, or if the signature is not present, the Firebox refuses the upgrade.

On-Demand System Integrity Checks

The Firebox runs system integrity checks automatically, but you can also run the Boot Time system integrity check at any time from the Diagnostics page in Fireware Web UI.

On-demand system integrity checks do not halt or shut down the Firebox. However, if an on-demand system integrity check fails, the automatic Boot Time check might halt the Firebox when it next reboots.

You must be logged in to Fireware Web UI as a Device Administrator to run the on-demand integrity check.

To run an on-demand system integrity check, from Fireware Web UI:

  1. Select System Status > Diagnostics.
    The Diagnostics page opens with the Diagnostics File tab selected.
  2. Select the System Integrity tab.

    Screen shot of Integrity Check tab

  3. Click Start Check.
    The system integrity check runs. It can take several seconds for results to appear.
  4. One of these results appears:
    • System integrity check passed
    • System integrity check failed

If the on-demand system integrity check fails, the Firebox automatically generates a fault report. You can see the fault report on the Diagnostics File tab. Failure of an on-demand system integrity check could indicate an issue with the integrity of the files and folders on the Firebox, or a hardware problem. You can try the steps in the Boot Time section to recover the device or contact Support for assistance.

See Also

Set Up & Administer Your Firebox

Upgrade Fireware OS or WatchGuard System Manager