Use the Quick Setup Wizard to Downgrade Fireware

Only use this downgrade method with direction from Support and when you do not have a saved backup image. If you have a saved backup image, use another method to downgrade the device to an earlier version of the Fireware and restore the backup image. For more information, go to Downgrade Fireware.

You can use the Quick Setup Wizard in WatchGuard System Manager to downgrade the version of Fireware on a Firebox started in recovery mode. When you use the Quick Setup Wizard to configure a device in recovery mode, the Quick Setup Wizard finds the latest version of Fireware installed on the management computer and installs that version of Fireware on the device, regardless of the version that is currently installed. The Quick Setup Wizard removes all existing files on the device. Only use this procedure to downgrade the version of Fireware on a device if you do not have a saved backup image.

You cannot restore a backup image from a version of Fireware lower than Fireware v12.1.3 Update 8, v12.5.9 Update 2, or v12.7.2, based on your device model.

You cannot downgrade a Firebox to a version of Fireware lower than Fireware v12.1.3 Update 8, v12.5.9 Update 2, or v12.7.2 Update 2, based on your device model.

Step 1 — Save the Current Configuration File

If you do not have a saved configuration file that you want to use after the downgrade, use Policy Manager to save the current device configuration to a file before you downgrade. In Fireware v12.0.1 and higher, you can also use Policy Manager to save a configuration file for a specific Fireware version. You can edit the configuration file and save it to the device after the downgrade.

For more information on how to save a configuration file for a specific Fireware version, go to Save the Configuration File

Step 2 — Uninstall Newer Versions of Fireware from Your Management Computer

If you want to use the Quick Setup Wizard to install an older version of Fireware, you must uninstall any newer versions of Fireware from the management computer for the Firebox model you want to downgrade. You also must make sure that the latest installed version of Fireware on the management computer is the one you want to downgrade to. Do not uninstall WatchGuard System Manager.

  1. In Windows Control Panel, find the list of installed programs.
    There is a separate WatchGuard Fireware program for each version of Fireware you have installed for each Firebox model.
  2. Find the installed version of the WatchGuard Fireware OS for the Firebox model you want to downgrade.
  3. For your Firebox model, uninstall any Fireware version newer than the one you want to downgrade to.
  1. Verify that the latest installed version of Fireware is the version you want to install on the device.
  2. If necessary, download and install the older version of Fireware on your management computer. You can download the Fireware installer from the WatchGuard website at https://www.watchguard.com.

Step 3 — Start the Device in Recovery Mode

  1. Power off the Firebox.
  2. Press and hold the Reset button on the back of the Firebox.
  3. While you continue to hold the Reset button, power on the Firebox.
  4. Continue to press the Reset button until the Attn indicator begins to flash.
  5. Release the Reset button. Do not power off the Firebox yet.
  6. Wait for the reset process to complete. This can take 70 seconds. When the reset is complete, the Attn indicator stays lit and does not flash.
    The Firebox is in recovery mode.
  1. Power off the Firebox.
  2. Press and hold the Reset button on the front left of the Firebox, and briefly press the Power button on the front of the Firebox to power it on.
    The Arm indicator is red.
  3. Continue to hold the Reset button while the Arm indicator ( Shield symbol ) is red.
    The Arm indicator starts to flash green.
  4. Continue to hold the Reset button while the Arm indicator flashes once per second.
  5. After the Arm indicator starts to flash green twice per second, release the Reset button.
  6. Wait until the Arm indicator starts to flash red.
    The Firebox is in recovery mode.
  1. Power off the Firebox.
  2. Press and hold the Power button on the front of the Firebox for three seconds to power it off.
  3. Press and hold the Reset button on the front left of the Firebox, and briefly press the Power button on the front of the Firebox to power it on.
  4. Continue to hold the Reset button until the Mode indicator is lit.
  5. Immediately release the Reset button.
    The Attn indicator is lit and does not flash. The Firebox is in recovery mode.

To start the Firebox M440 in recovery mode, you must release the Reset button after the Mode indicator is lit, but before the Attn indicator begins to flash.

  1. Power off the XTM device.
  2. Press and hold the up arrow button on the device front panel while you power on the device.
  3. Continue to hold the button until Recovery Mode starting appears on the LCD display.
    The LCD display shows Recovery Mode.

XTM 5 Series and 8 Series devices are manufactured with a version of Fireware that cannot be upgraded directly to Fireware XTM v11.8 or higher. To use recovery mode with these models, you must install Fireware v11.7.x or lower on the management computer before you run the Quick Setup Wizard. The Quick Setup Wizard looks for the latest version of Fireware XTM v11.7.x or lower on the management computer and installs that version on the device. For more information, go to About Recovery Mode for XTM 5 and 8 Series.

Step 4 — Run the WSM Quick Setup Wizard

After you start the device in recovery mode, you can use the WSM Quick Setup Wizard to downgrade it.

  1. Connect the management computer to device interface 1.
  2. In WatchGuard System Manager, select Tools > Quick Setup Wizard.
  3. Select Yes, my device is ready to be discovered.
  4. Click Next to start device discovery.
  5. Provide the information to create a basic device configuration. For a description of the configuration steps, go to Run the WSM Quick Setup Wizard.
    The final page of the Quick Setup Wizard shows the version of Fireware installed on the device.

After the device restarts, it uses a basic configuration of 10 policies and services(for example, TCP and UDP outgoing, FTP packet filter, ping, WatchGuard, and WatchGuard Web UI), and the interface IP addresses you specified. You can use Policy Manager to change this basic configuration or to save an existing configuration file to the device, as described in the next section.

Step 5 — Save a Configuration File to the Downgraded Device

After you downgrade the device, you can use Policy Manager to save an existing configuration file to the downgraded device.

  1. Open the saved configuration file you want to use in Policy Manager.
  2. Make sure the configuration file has the correct feature key for this device.
  3. Save the configuration file to the device.

If the configuration file you save has an enabled feature that is not supported by the version of Fireware on the device, Policy Manager shows an error message to tell you about the feature that is not supported.  You must disable the feature before you can save the configuration file to the device.

Step 6 — Reinstall Device Certificates

When you use the Quick Setup Wizard for a device in recovery mode, any certificates installed on the device are removed. New self-signed certificates are automatically created when you complete the wizard. If your device had third-party certificates installed, you can reinstall them on the device after the downgrade. For more information, go to Manage Device Certificates (WSM).

Related Topics

Downgrade Fireware