Restore an SRX Firewall to a Rescue Config

Info

If the configuration of an SRX firewall is ever broken by committing a bad change then the firewall can be rolled back via the rescue config. This process requires that the rescue config was originally configured and also requires physical access to the firewall.

Prep Steps if the firewall is in a cluster

  • Push the power button on the secondary firewall
  • Wait 2-3 minutes until the secondary firewall has finished powering down

Steps to Revert to the Rescue config

  • Take a paperclip and quickly push the pin-hole that is labeled Reset config
    • If this button is held for 15 seconds then the firewall will revert to factory defaults instead of the rescue configuration
  • The LED lights will turn amber for a few minutes
  • Wait 2-3 minutes after the LED lights change from amber
  • The firewall should now have the rescue config applied

When committing changes in the future consider using the commit confirmed feature that is built into Junos.

Post Steps if the firewall is in a cluster

  • Power on the secondary firewall
  • Verify the secondary firewall is booted and the cluster is healthy with the following command:

show chassis cluster status

  • The cluster should represent the image below:

SRX_Chassis_Cluster

  • Once the cluster is healthy login to the primary node with the rescue config loaded
  • Issue a commit to write the rescue config to the secondary node
  • Now the firewalls can also be rolled back to a previous config via the normal rollback commands

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.