Views:

A rollback operation reverts the currently running software on your device to a previous working version that you select.

Before you begin

Before you roll back to a software version, make sure to review the release notes for both your current version and your target version for any specific notations and warnings regarding the functionality for those versions. After you install the 2K key, you will lose device management functionality on the SMS if you roll back to TPS devices running TOS v4.0. Learn more: SMS certificate key .
Important
Important
(TPS and vTPS only) After you roll back, always make sure the master key on the device is the same as the master key that was used to secure the keystore in the rollback TOS image.
A TPS device stores a maximum of three previous TOS versions that you can roll back to. If all three rollback slots are full, the oldest version gets overwritten when you perform your next TOS upgrade. To preserve the oldest TOS version from being overwritten, specify and delete another TOS version before you upgrade your TOS. Learn more.

Procedure

  1. Select DevicesAll DevicesdeviceDevice Configuration.
  2. Select System Update.
  3. From the Previous TOS Versions table, select a software version entry, and click Previous Version Rollback.

Next steps

(TPS and vTPS only) When the rollback completes, verify the master key on the device is the same as the master key that was used to secure the keystore in the rollback TOS image. From the CLI, edit and save the configuration. If a “Device keystore is locked” message is displayed, the master key does not match. To resolve this issue, complete the following steps:
  • If you know the master key that was set in the TOS rollback image, set the master key to that passphrase. Use the master-key set CLI command to set the master key.
  • If you do not know the master key:
    1. (TOS 5.x.x and later images only) Reset the keystore by using the master-key reset-keystore CLI command.
    2. Reset the master key by using the master-key set CLI command.
    3. If the keystore persisted sensitive information, such as private keys for SSL inspection, import the private keys into the keystore and assign the new keys to the appropriate SSL servers.
    4. If the external user disk is encrypted, synchronize the ThreatDV URL Reputation Feed and User-defined URL Entries database to the device.
      Note
      Note
      If you change the master key while the external user disk is encrypted, the contents of the external user disk, which include the ThreatDV URL Reputation Feed and User-defined URL Entries database, are erased.