How to Use 4G LTE Service with the Vault

4G LTE Service Overview

4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. 4G LTE Service can be used with the Vault as a backup/failover Internet connection in the event the primary WAN service is down or as the primary WAN interface when a wired Internet connection is unavailable . For any business or operation, a 4G LTE failover solution ensures that Internet connectivity is preserved and eliminates potential loss of sales and loss of productivity. Maintaining a constant Internet connection is particularly crucial these days as so many applications and business functions are in the “cloud” and only accessible via the Internet.

4G LTE Service options are extremely cost effective compared to the loss of business and/or productivity. Baseline pricing is $29.99 per month for 1 Giga Byte (GB) of data or $34.99 per month for 1 GB with a public Static IP address. Additional usage is only $1 per 100 MB for either subscription plan. Protectli 4G LTE Products and Services can be found at this link.

In addition to backup/failover, there are numerous applications that are ideal for a standalone cellular connection. Examples are:

  • Temporary or short term connections for construction sites, sporting events, concerts, etc.
  • Permanent retail kiosks that are not close to a wired connection
  • Remote sensor monitoring
  • Remote vehicle and storage areas
  • Many others ……

4G LTE Service Configuration

As noted above, the 4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. The modem and subscription plan are ordered together from Protectli. Protectli will insert a SIM card for the subscription plan and test connectivity to the cellular service. When the modem arrives it is fully functional and no configuration is required on the modem itself. It is required to attach the antennas to the “Main” and “Aux” connectors of the modem to get a good signal. Simply connect the LAN port of modem to one of the Vault’s Ethernet ports using the supplied Ethernet cable. There may need to be configuration of the Vault, depending on the installed operating system (OS). See the Protectli Knowledge Base at this link for articles that are specific to 4G LTE and particular OS.

4G LTE Service Specifications

  • 4G LTE Category 4
  • Max download data rate up to 150 Mbits/second
  • Max upload data rate up to 50 Mbits/second
  • 3G Failover
  • Band 2 (1900 MHz), Band 4 (1700/2100 MHz), Band 5 (850 MHz), Band 17 (700 MHz)

4G LTE Service Documents

  • Data Sheet, see this link
  • User Manual, see this link

How to Configure a PXE Server on CentOS 7 with pfSense® CE

Overview

PXE (Preboot Execution Environment), allows for remote clients to boot from a network hosted image. In this article we will be setting up a PXE server on CentOS 7 with a pfSense® router in place. Vault models FW2B, FW4B, and all versions of the FW6 can be flashed to coreboot which has PXE capabilities.

We have guides covering how to install CentOS, pfSense® CE and how to flash coreboot on to the Vault.

Example Setup

For this example we will be configuring a CentOS 7 server for hosting PXE files along side pfSense® running the DHCP server to allow for network boot and install of CentOS 7 on a FW2B flashed with coreboot.

  • FW6C – Hosting a virtual machine of CentOS 7
  • FW4B – Running pfSense®
  • FW2B – coreboot flashed for PXE
PXE Diagram

Prerequisites

For this guide we will assume the following are in place:

  • PXE enabled client
  • CentOS 7 Server
  • pfSense® router with DHCP enabled

Setting Up the PXE Server

  • Log into the CentOS 7 server
  • Verify all the packages are updated using the following command
#yum update -y
  • Install the required packages using the following command
#yum install syslinux xinetd tftp-server vsftpd wget -y
  • Edit the TFTP configuration file with the vi command
#vi /etc/xinetd.d/tftp
  • Change disable from yes to no.
  • Tips for vi editing: Press ‘Insert’ on the keyboard to edit the file, ‘Esc’ to exit edit mode, and type “:wq” to write and close the file.
TFTP Configuration File
  • Change directory to syslinux and copy the necessary files to the TFTP
#cd /usr/share/syslinux
#cp pxelinux.0 mboot.c32 menu.c32 chain.c32 memdisk /var/lib/tftpboot
  • Make and change to the tmp directory.
  • Download a CentOS 7 image. The following address is for a minimal image, but you may find your own mirror and version
#mkdir tmp
#cd tmp/
#wget http://mirrors.ocf.berkeley.edu/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso
  • While in tmp mount the downloaded image and copy the files to the FTP directory
#mount -o loop CentOS-7-x86_64-Minimal-1810.iso /mnt/
  • Make a directory for the image files and copy them over
#mkdir /var/ftp/pub/centos7
#cp -rf /mnt/* /var/ftp/pub/centos7
#chmod -R 755 /var/ftp/pub/centos7
  • Make a directory and sub-directory called networkboot/centos7 and copy over vmlinuz along with initrd.img
#mkdir -p /var/lib/tftpboot/networkboot/centos7
#cp /var/ftp/pub/centos7/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/networkboot/centos7
  • Create a PXE configuration file that points to the correct files
#mkdir /var/lib/tftpboot/pxelinux.cfg
  • Make note of the IP address for the next steps. Use the following command to show IP address
#ip a
  • Open the PXE configuration file with the vi editor
#vi /var/lib/tftpboot/pxelinux.cfg/default
  • Add the following lines to this new configuration file. Screenshot below is an example of what it should look like.
default menu.c32
prompt 0
timeout 60

menu title <insert title>
label Install CentOS 7

kernel /networkboot/centos7/vmlinuz
append initrd=/networkboot/centos7/initrd.img inst.repo=ftp://<server_ip_addr>/pub/centos7
PXE Configuration File
  • use ‘:wq’ to save and exit the editor
  • Enable and start the TFTP and FTP services
#systemctl enable vsftpd.service
#systemctl start vsftpd.service

#systemctl enable tftp.service
#systemctl start tftp.service
  • Add firewall rules for the TFTP and FTP servers
#firewall-cmd --permanent --add-service=tftp
#firewall-cmd --permanent --add-service=ftp
#firewall-cmd --reload
  • Log into your pfSense® webGUI and locate the DHCP Server menu under the Services tab
pfSense® DHCP Server
  • Scroll down to “Other Options” and fill in the TFTP server IP address
  • Verify the “Enables network booting” box is ticked
  • Enter the IP address of the Next Server (same as TFTP)
  • For “Default BIOS file name” enter pxelinux.0
DHCP PXE Settings
  • Click Save

At this point you can boot up the PXE client and verify that it lists the image and network installation functions. If you experience any issues, please feel free to reach out to us at: support@protectli.com

How to configure UEFI on the Vault

UEFI Overview

UEFI is an acronym for Unified Extensible Firmware Interface. It is a specification that defines a new model for the interface between operating systems (OS) and platform firmware. It is a replacement for legacy BIOS. More information may be found on the UEFI Forum website at: https://uefi.org/

Recent updates to some OS software have introduced incompatibility between the default installation of the OS with some of the Vault hardware platforms. Setting the BIOS mode on the Vault to UEFI eliminates some of these issues. The article below will detail how to set the BIOS mode to UEFI.

Changing BIOS mode to UEFI

  • Verify that the Vault is powered down
  • Verify that the monitor is connected
  • Verify that the USB keyboard is connected
  • While powering up the Vault, press “DEL” key
  • Verify that the system boots into the BIOS
BIOS Main Screen
  • Select the “Advanced” tab
BIOS Advanced Tab
  • Select “CSM Configuration”
CSM Screen
  • Select “Boot option filter”
Boot Option Filter Menu
  • Verify the Boot option filter menu is displayed
  • Select “UEFI only”
  • Press Return(Enter)
  • Press “F4” to save and exit the BIOS
  • Power off the Vault

At this point UEFI mode is enabled. See the specific installation guide for the desired OS.

If you experience any issues, please feel free to reach out to: support@protectli.com.

coreboot on the Vault

coreboot is an open source project focused on the boot and BIOS process for initializing hardware (HW) and booting an operating system (OS). coreboot has roots in the Linux community and can be found on the internet at https://www.coreboot.org/.

coreboot describes itself as: “…an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems.” It is an open source alternative to legacy BIOS options with the following properties:

  • Fast Boot – Minimal image, removes legacy bloat
  • Open Source – The source code is available and can be built without any cost or license
  • Secure – Common backdoors of legacy BIOS can be disabled or not even included in the build
  • Support for modern HW and Intel CPUs

The coreboot philosophy is to do the absolute bare minimum to discover and initialize hardware (HW), then pass the control to another program called a “payload”. The payload then takes care of user interfaces, drivers, policies, etc. Protectli has implemented coreboot with the SeaBIOS payload.

coreboot is available on the FW2B, FW4B and FW6 series Protectli platforms as an alternative to traditional BIOS.

coreboot has been tested on the FW2B, FW4B and FW6 series with the following OS:

  • FreeBSD 11.2
  • OPNsense 19.1
  • pfSense 2.4.4
  • Ubuntu 18.10

coreboot can be selected at the time of ordering. It can also be installed in the field. See instructions below for FW2B and FW4B. The FW6 installation is more involved and requires recompiling the default version of the “flashrom” utility. Contact Protectli directly for instructions for the FW6 series.

Boot Menu

When coreboot is installed and the system boots, it will first attempt to boot from the internal mSATA. If there is no bootable OS on the mSATA, it will then attempt to boot from any USB that it discovers. If it is desired to boot from a USB to rather than mSATA, the boot menu can be accessed by pressing the “F11” key when the splash screen is displayed then selecting the desired boot device.

Installation Instructions

Note: Flashing new firmware onto any hardware is potentially dangerous in that if the procedure is interrupted or otherwise not able to complete, your hardware may be rendered useless. Please proceed with caution only after fully understanding each step of the following instructions. If there are any questions, please contact Protectli support BEFORE proceeding.

Note: Coreboot utilizes Legacy BIOS. If the operating system was previously installed under UEFI BIOS, coreboot may no longer recognize that drive.

coreboot is installed using a program called ‘flashrom’ which is available for many linux distributions. Protectli validated the installation of coreboot using flashrom on Ubuntu 18.10 (see this link for guidance on installing Ubuntu on the Vault). While flashrom works under other operating systems, this has not been tested by Protectli. As such, we recommend using Ubuntu to upgrade your Vault to coreboot.

In the instructions below, “#” indicates a command line instruction in an Ubuntu Terminal window. “filename” refers to the actual name of the file.

  • If not using Ubuntu on the Vault, remove the existing mSATA and replace it with the dedicated mSATA for the coreboot installation process
  • Install Ubuntu desktop version on the Vault to the dedicated mSATA per the link above
  • Verify that Ubuntu desktop version is installed and reboot the system
  • Verify that Ubuntu boots up to the desktop version and the Firefox browser is installed, or install the browser of your choice
  • Browse to the appropriate coreboot “filename.rom” file and download it to the Ubuntu system. See the table below for links to the coreboot .rom files.
  • Open a terminal window in Ubuntu. (Applications->Terminal)
  • Verify the terminal opens and change directory to “Downloads” using the following command:
#cd Downloads

Verify the “filename.rom” file has been downloaded to the “Downloads” directory using the following command:

#ls -la
  • Download the appropriate SHA256 checksum file per the table below
  • Verify the “filename.rom.sha” file has been downloaded to the “Downloads” directory using the following command:
#ls -la

If the files are compressed, with a suffix of “.zip”, uncompress them with the following commands:

#unzip filename.rom.zip
#unzip filename.rom.sha256.zip

Run the SHA256 program on the filename.rom file using the following command:

#sha256sum filename.rom

Verify the SHA256 output is the same as the contents of the filename.rom.sha file

#cat filename.rom.sha

Verify the “flashrom” program is present in Ubuntu

#which flashrom

If flashrom is not present, get it from the network and install it in Ubuntu

#sudo apt install flashrom

Verify flashrom is installed on the system

Flash the coreboot image to the system with the the following command:

 #sudo flashrom -p internal -w filename.rom -V -o output-file 
  • where -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output
  • Reboot the system
  • Verify the system boots and displays the coreboot version string on the screen, then the splash screen
  • Verify the system boots up to Ubuntu desktop
  • If not using Ubuntu as the OS, power off the system and replace the dedicated Ubuntu mSATA with the mSATA for the desired OS
  • Reboot the system and verify that it boots to the desired OS

At this point coreboot should be installed. However, as always, feel free to contact us at: support@protectli.com.

Flash from Coreboot to Original(AMI) BIOS

In case you would like to go to back the OEM BIOS, the steps are relatively straightforward. Following the same procedure as flashing Coreboot. Be sure to use the correct BIOS for your Vault.

Using the same Ubuntu install as the instructions above;

  • Verify the correct BIOS is downloaded from here
  • Unzip the BIOS in the Downloads folder
  • Open Terminal and change directory to BIOS folder. Examples below.

For the FW4B

#cd Downloads/4B180727

For the FW2B

#cd Downloads/2B180727
  • Now run the flashrom command, instead of ‘filename.rom’, use ‘filename.bin’.

Example below would be for the FW4B BIOS file.

 #sudo flashrom -p internal -w YLBWL412.bin -V -o output-file 

And for the FW2B

 #sudo flashrom -p internal -w YLBWL212.bin -V -o output-file 
  • After the flash is complete the terminal should output a “VERIFIED” message along with “Restoring MMIO space at…” message
  • Now Reboot and verify the OEM BIOS is loaded along with booting into the desired OS

coreboot File Table

Modelcoreboot .rom fileSHA256 file
FW2Bfw2b_v4.9.0.1.romfw2b_v4.9.0.1.rom.sha
FW4Bfw4b_v4.9.0.1.romfw4b_v4.9.0.1.rom.sha

How to Customize the Boot Splash Screen

Overview

The “Splash Screen” is the graphical image or logo that is briefly displayed at boot up of the system. The splash screen for the Vault can be customized to enhance the brand awareness of the product and/or solution. Protectli provides a Windows tool that can be used to change the BIOS and customize the splash screen.

Splash Screen File

The splash screen file is a “bitmap” file with an extension of “.bmp” in Windows. The bitmap file used for the splash screen must have maximum dimensions of 800 x 600 and be less than 1.4 MB. If there is already a logo file in “.jpg” or “.png” format, that file can be converted to a bitmap file using the Windows Paint program or other tools.

Verify the Desired Splash Screen File

  • On Windows, right click the desired file
  • Select Properties
  • Verify “Type of File” is BMP file
  • Select the Details tab
  • Verify the Dimensions are 800 x 600 or less
  • Verify the Size is 1.4 MB or less

Convert the Desired Splash Screen File

If the desired file is in JPG or PNG format, it can be converted to Bitmap using the Windows Paint program. This procedure is only necessary if the desired file is not already in Bitmap format.

  • On Windows, right click the desired file
  • Select Edit
  • Verify the Paint program starts and the graphical image is displayed
  • Select File->Save As->Save as type:
  • Verify the dropdown menu that contains these bitmap options is displayed
    • Monochrome Bitmap
    • 16 Color Bitmap
    • 24 Color Bitmap
    • 24-bit Bitmap
  • Select the desired bitmap format
  • Note that the formats listed in the dropdown are in increasing order of quality and increasing order of size
  • Select Save
  • Right click on the newly created bitmap and verify that it is less than 1.4 MB
  • If greater than 1.4 MB, repeat this procedure with a lesser quality bitmap format

Download the BIOS

The BIOS folder for each specific model of the Vault is available at this link. Be very sure when downloading and installing the BIOS that it is the correct BIOS for the specific Vault. Installing incorrect BIOS may result in an inoperable system.

  • Download the BIOS zip file for the model of the Vault from the link above
  • Verify the BIOS zip file is downloaded
  • Unzip the file and verify the BIOS folder is downloaded

Download the BIOS Logo Tool

There are two BIOS logo tools. One is for the FW1, FW2, and FW4 models of the Vault. The other is for the FW6 models of the Vault. The FW1, FW2, and FW4 tool is at this link. The FW6 tool is at this link.

  • Download the BIOS logo tool zip file for the model of the Vault from the link above
  • Verify the proper BIOS logo tool zip file is downloaded
  • Unzip the BIOS logo tool

Use the BIOS Logo Tool to Change the Splash Screen

  • Double click on the BIOS Logo executable file
  • Verify the “Change Logo” application appears on the screen

Change Logo Application

  • Select the “Load Image” button

Load Image Button

  • Verify navigator window is displayed

Navigator Window

  • Verify/Select “Files of type:” All Files
  • Navigate to the BIOS folder
  • Select the .bin file
  • Select “Open”

.bin File

  • Verify the .bin file is displayed in the proper folder in the “Aptio Image” Box

Aptio Image Box

  • Select Browse Button

Browse to find Bitmap File

  • Verify the navigator window is displayed
  • Select files of type “BMP Files (*bmp)
  • Navigate to the desired bitmap file
  • Select the .bmp file
  • Select Open
  • Verify the desired bitmap file is displayed in the “Select BMP file” box

Select BMP File

  • Select the Replace Logo button

Replace Logo

  • Verify the “Save Image As” button is now not grayed out

Save Image As Button

  • Select the “Save Image As” button
  • Verify the navigator window is displayed
  • Navigate to the BIOS folder, this is where the new BIOS file will be placed
  • Manually enter the name of the original .bin file, note that it must be exactly the same name

BIN File

  • Select Save button
  • Verify the Success message is displayed in the lower left of the tool

Success Message

Create Bootable USB Drive and Install New BIOS

Now that the new bitmap file has been created, the BIOS folder must be transferred to a USB drive and then used to update the BIOS on the Vault. Follow the instructions at this link to create a bootable USB drive, transfer the new BIOS folder to the USB drive, and install the new BIOS on the Vault.

  • Verify the splash screen has the new logo or image during initial boot
  • Verify the system boots

At this point, the new splash screen should be installed on The Vault.  However, if you experience any issues, please feel free to reach out to us at: support@protectli.com.

 

 

 

Verify Intel Spectre and Meltdown Vulnerabilities

Overview

There are known security vulnerabilities with Intel processors that are named “Spectre” and “Meltdown”. These vulnerabilities are documented at this link. There is a Windows based tool that can analyze the the system to determine if it is vulnerable to Spectre or Meltdown. This document describes how to use that tool to assess the vulnerability of the Vault. Information regarding specific BIOS updates to the different Vault platforms can be found from links on the product pages.

On a Windows computer,

  • Browse to InSpectre homepage at https://www.grc.com/inspectre.htm
  • Scroll down to Download Button and download InSpectre application from this link.
  • Verify that the file/application “InSpectre.exe” is downloaded to the Windows computer
  • Run InSpectre (double-click) and verify the application pops up

InSpectre & Meltdown Vulnerability Status  – Not Protected

  • Verify that both Meltdown and Spectre vulnerabilites are protected.

If not, update the Vault to the appropriate BIOS that addresses the vulnerabilities. See the latest BIOS at this link.

  • Update BIOS on the Vault
  • Rerun the InSpectre application
  • Verify vulnerabilities are protected

InSpectre & Meltdown Vulnerability Status  – Protected

At this point the Vault should be protected from the Spectre and Meltdown vulnerabilities. However, if there are any issues, feel free to reach out to us at:

support@protectli.com 

FW2B FW4B Series Hardware Overview

As with all Protectli Vault hardware, the FW2B and FW4B series need only RAM (memory) and mSATA (storage) added in order to have a fully functional hardware system. In addition, an optional WiFi module can be installed as well. For more information on HW compatibility, see this link.

The FW2B and FW4B series hardware are slightly different, but the chassis form factor, general board layout, and placement of components is largely the same. The FW2B and FW4B vary mainly in the type of CPU they have and the number of network ports. For a full comparison among different models, please see this page.

The annotated photo below shows the location of the various sockets.  The FW2B is pictured. Note that the memory socket is underneath the mSATA and WiFi sockets.

CPU

The FW2B series uses an Intel J3060 processor and the FW4B series uses an Intel J3160 processor. Both of these CPUs have built in suport for Intel’s AES-NI hardware encryption.

Memory

There is a single SODIMM socket for memory.  Additional information on compatible memory modules can be found in the Hardware Compatibility page.  The maximum supported memory size is 8GB of DDR3L (1.35V).

mSATA

The FW2B, and FW4B series come with a single mSATA socket.  This socket is capable of holding any logical size mSATA.

WiFi

The WiFi module socket is a PCIe form factor socket. The FW2B can accommodate a standard PCIe WiFi module. The FW4B while PCIe in form factor, operates over USB channel communication, limiting functionality as compared to pure PCIe modules.  Protectli sells a compatible WiFi module that is available here.  Instructions for installation of the WiFi module can be found here. The FW2B can also accommodate the Protectli PCIe/USB WiFi module.

Port Connectivity

The ‘Front’ of the FW4B Vault is pictured above.  The FW2 is different, as it only has 2 network ports (WAN and LAN) but an additional 4 USB 2.0 ports.

Power should be supplied by the included power supply, which is rated for 12V at 3.3A.

The Power LED, which lights up green when power is applied, indicates that the Vault has power applied.  It does not indicate the status for the operating system

The Drive Activity LED will blink, according to mSATA drive activity.  Usually, the user will see the most activity as the unit is booting, or if the unit is under heavy load.  For most operating systems, this indicator will not be on and only blink occasionally under most conditions.

The Network ports are each independenly connected to the CPU via a PCIe connection.  A table that shows port numbering can be found below.

Vault ModelPort 6Port 5Port 4Port 3Port 2Port 1
FW1x--OPT2OPT1LANWAN
FW2x----LANWAN
FW4x--OPT2OPT1LANWAN
FW6xOPT4OPT3OPT2OPT1LANWAN
FreeBSD (pfSense) Labeling (in software)em5em4em3em2em1em0
Windows 10 (in software)Ethernet 5Ethernet 4Ethernet 3Ethernet 2EthernetEthernet 1

Data Sheets

The FW2B data sheet can be found at this link. The FW4B data sheet can be found at this link.

BIOS Versions for the Vault

Note: Intel has recently announced a security vulnerability that is described at:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html 

The FW1, FW2, FW4A and FW6 Vaults may be affected by this vulnerability. The FW2B and FW4B are not affected. Protectli understands the urgency of this issue and we are working with our partners to generate BIOS updates to address the issue. We will post the updated BIOS and/or timelines for updated BIOS on this page shortly.

BIOS

BIOS is the abbreviation for Basic Input Output System. It is a small program that is stored on non-volatile memory that is used to initialize the system hardware during the boot process. BIOS is installed on every system when it ships, but occasionally there are upgrades to the BIOS to address various issues. This page has a table with all of the current versions of BIOS for the Vault. BIOS can be downloaded from this table by clicking on the “Download Link” entry and used to upgrade the BIOS on the Vault.

The currently installed BIOS version can be found on the main BIOS page, as seen in the example screenshot below (circled in red):

BIOS Main Tab

See this link for instructions on how to install BIOS on the Vault.

ModelDownload LinkBIOS IDNotesRelease Date
FW11-190708BTL4A012New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019
FW22-190708BTL4A012New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019
FW2B2B190619BSW4L007New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019
FW4A4A190619E38L4A12New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019
FW4B4B190619BSW4L007New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019
FW6A6-190708KBU6LA09New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019
FW6B6-190708KBU6LA09New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019
FW6C6-190708KBU6LA09New Logo, Enable UEFI and Legacy, Boot Order UEFI before LegacyAugust 1, 2019

Notes

Some older versions of FW1 and FW2 Vaults do not automatically update the new Boot Order with version BTL4A012. If this occurs, follow the steps below to set the Boot Order:

  • Power off the unit
  • Reboot the unit and hit the DEL key to enter BIOS
  • Select the Boot Tab
  • Select “F3” to Load Optimized Defaults
  • Verify the proper Boot order of 1) UEFI mSATA 2) UEFI USB 3) Legacy mSATA 4) Legacy USB
  • Select “F4” to Save and Exit
  • Verify the system boots correctly

Older Versions

ModelDownload LinkBIOS IDNotesRelease Date
FW11-181025BTL4A010Intel Spectre and Meltdown fixesOctober 25, 2018
FW22-180706BTL4A008Intel Spectre and Meltdown fixesJuly 6, 2018
FW2B2B180727BSW4L003 V1.02First Customer ShipmentJuly 27, 2018
FW4A4A180804E38L4A05 V1.03Intel Spectre and Meltdown fixes, COM port fixAugust 4, 2018
FW4B4B180727BSW4L003 V1.02First Customer ShipmentJuly 27, 2018
FW6A6-180614KBU6LA06Intel ME, Spectre and Meltdown fixesJune 14, 2018
FW6B6-180614KBU6LA06Intel ME, Spectre and Meltdown fixesJune 14, 2018
FW6C6-180614KBU6LA06Intel ME, Spectre and Meltdown fixesJune 14, 2018

As always, if there are any questions, feel free to reach out to us at:

support@protectli.com 

How to perform a BIOS update

This article will explain how to create a bootable FreeDOS USB drive and prepare the drive with the appropriate BIOS update files for installation on a Protectli Vault.  FreeDOS is a free DOS application that is compatible with Intel based computers, such as the Vault. The Vault uses FreeDOS to install BIOS updates to the Vault.

For creating a bootable USB with Windows, Protectli recommends a tool called Rufus. The home page for Rufus is https://rufus.akeo.ie.  The Windows system requirements are listed on the Rufus homepage.

Create Bootable FreeDOS USB – Windows

  • Download the Rufus tool from the home page to a Windows computer
  • Verify an executable file with a name of rufus-2.17 or similar is downloaded (the version you download may have a higher version number than this example)
    • Note that rufus is an executable and does not need to be installed.
  • Select the Rufus application that was downloaded and verify that the main menu pops up (example screenshot below)
  • Verify that “FreeDOS” is the default selection

Rufus Main Menu

  • Insert a USB drive into a USB port on the PC
  • Verify that Rufus recognizes the USB drive

Rufus Detects USB Drive

  • Select Start
  • Verify the warning appears and select Ok

Rufus Warning Message

  • Verify the FreeDOS is created on the USB, application status is “READY” and the green bar is complete

Rufus Ready Message

Download BIOS and Copy BIOS Folder to FreeDOS USB

*** Important ***

Note that the folder, file, and version names in this article are used as an example. The actual folder, file, and version names will vary depending on the model of Vault and the version of BIOS.

  • Download the BIOS folder to the Windows machine from the Protectli BIOS Version page at this link
  • The BIOS folder will be a compressed “zip” file. If compressed, uncompress the zip file
  • Go to “This PC” on the Windows machine and select the USB drive

Select USB Drive on This PC

  • Drag/copy the BIOS folder to the USB drive
  • If prompted, check the box to copy all current items to the USB Drive

Copy Prompt

  • Verify folder copied to the USB Drive

BIOS Folder in USB Drive

  • Safely remove the USB drive from the Windows computer

Update BIOS on the Vault 

Note: Freedos will not boot in UEFI BIOS. To successfully complete this procedure make sure the BIOS is set to Legacy. We have a guide covering this here. Using the same steps but switch to “Legacy Only”.

  • Insert the USB drive into the Vault
  • Hit the “F11” key repeatedly during boot
  • Verify the Vault boots to the boot selection menu
  • Select the USB and verify the Vault boots to the DOS prompt
  • Type “dir” to see the contents of the USB drive
  • In this example the folder “4A171114” should appear
  • Type “cd 4A171114” to change directory to the BIOS folder
  • Type “update.bat”
  • Verify that the BIOS installation completes

Verify BIOS ID on the Vault 

  • Reboot the Vault
  • Hit the “DEL” key repeatedly during boot
  • Verify the Vault boots to the main BIOS window
  • Verify the BIOS ID is the correct version

BIOS ID

At this point the new BIOS should be installed. However, if there are any issues, feel free to reach out to us at:

support@protectli.com 

Troubleshooting the Vault

With Solid State Drives (SSD) and fanless cooling, the Vault has been extremely stable over the years. However, as with all computers, occasionally the Vault may have various issues.

The most common issues that occur are due to faulty mSATA, faulty DRAM, or need for CMOS reset on the FW1, FW2 and FW4A series.

This article will help the user diagnose and repair the majority of the problems that do occur.

Accessing components           

In order to access the components, disconnect power, turn the unit upside down and remove the 4 screws on the bottom plate. The photos below show the internal sockets of the Vault when the bottom plate is removed.

FW1, FW2, FW4A
FW2B, FW4B
FW6

DRAM troubleshooting instructions

Some issues are due to faulty DRAM or system memory.

In order to verify memory, follow these steps:

Remove the bottom plate of the Vault and identify the components per the instructions above.

  • Verify memory is properly installed. There should be a noticeable “click” when the DRAM is properly inserted into the socket.
  • Verify the memory for the FW1, FW2, FW2B, FW4A, FW4B series is DDR3L where the “L” is for “low voltage” of 1.35V. DDR3 requires 1.5V and is not compatible with the Vault.
  • If there are still issues, run a cycle of Memtest. Instructions can be found at this link.
  • If there are still issues, replace the DRAM with known good DRAM.
  • If there are still issues, it is likely the DRAM is not the issue.

mSATA troubleshooting instructions

Some issues are due to faulty mSATA or system solid state drive (SSD).

In order to verify mSATA, follow these steps:

Remove the bottom plate of the Vault and identify the components per the instructions above.

  • There are 2 PCI sockets in the Vault. One is for mSATA and the other is for the WiFi module. See the photos above for the proper mSATA socket. Verify the mSATA is installed in the proper socket and screwed down.
  • If the mSATA is properly installed and there are still issues, replace it with a known good mSATA.
  • If there are still issues, then likely the mSATA is not the fault.

CMOS reset instructions

The Vault’s CMOS is a small amount of battery backed memory that contains basic system information for the BIOS. Occassionally the CMOS on the FW1, FW2 and FW4A series units can get into a state where it needs to be reset.

To reset the CMOS, see this link.

Physical Damage

Examine the Vault for any obvious external damage that may have occurred during shipping, installation, or while in service.

  • Verify that all of the ports, connectors, and power button are properly positioned in the chassis.

Loose components or screws

Shake the Vault

  • Verify there are no sounds to indicate a loose screw or other loose component
  • If it sounds like a loose item, open the vault and verify the issue.

Basic troubleshooting

See photos below for the Vault interfaces

FW1, FW4 Front View
FW1, FW4 Back View
FW6 Front View
FW6 Back View

Plug one end of the power cable into a live AC power outlet and the other end into the DC power adapter.

  • Verify both connections are secure.
  • Verify the LED on the DC power adapter is illuminated.
  • Connect one end of a video cable to either the VGA connector or to the HDMI connector depending upon the model of the Vault. Connect the other end to the appropriate connection of a video monitor.
  • Verify the connections are secure.
  • Note that most video monitors have multiple interfaces such as VGA, HDMI and DVI.
  • Verify the video monitor is configured to use the correct interface for the Vault or that the video monitor can auto select the correct interface.
  • Connect a keyboard and mouse to the USB ports on the Vault.
  • Verify both connections are secure.
  • Plug the DC power cable into the power jack of the vault
  • Verify the blue LED on the power button is illuminated.
  • Verify that the green LED on the front panel is illuminated.

Issues

No Video           

Monitor the video screen and verify that the system boots up.

If no video is displayed, it may be due to a “barebone” unit. In other words, there is no DRAM or mSATA installed in the device when it ships from the factory. The FWX001, FW2B, FW4X-0, and FW6X-0 series are all barebone units and require installation of at least DRAM before any video can be displayed.

  • Verify a working VGA/HDMI cable
  • If available, try another monitor to check possible compatibility issues

If still no video

  • Remove the power plug from the Vault
  • Open the vault per the instructions above and verify that DRAM is properly installed in the system

If DRAM is properly in place,

  • Follow the CMOS reset instructions above
  • After CMOS reset, power on the device and verify it displays video and boots correctly
  • If the system boots correctly, this indicates CMOS reset was required to resolve the issue

If there is still no video

  • Follow the DRAM troubleshooting instructions above
  • After DRAM troubleshooting, power on the device and verify it displays video and boots correctly
  • If the system boots correctly, this indicates replacing faulty DRAM was required to resolve the issue

If there is still no video

  • Remove the mSATA and verify the system boots up to the BIOS menu
  • If the system boots correctly, this indicates faulty mSATA that should be replaced

If there is still no video, contact Protectli support at: support@protectli.com

Boot directly to BIOS           

If the device boots and goes directly to BIOS

  • Verify that mSATA is properly installed per the instructions above

If mSATA is properly in place,

  • Follow the CMOS reset instructions above
  • After CMOS reset, power on the device and verify it displays video and boots correctly.
  • If the system boots correctly, this indicates CMOS reset was required to resolve the issue.

If the system still boots directly to BIOS

  • Follow the mSATA troubleshooting instructions above.
  • If the system boots correctly, this indicates faulty mSATA that should be replaced.

If the system still boots directly to BIOS, contact Protectli support at: support@protectli.com

No Operating System (OS) found

If the device boots and the following message or similar is displayed on the screen:

“Reboot and Select proper Boot device or Insert boot Media in selected Boot device and press a key”

it means that the device has booted correctly, recognized the mSATA as a bootable device, and there is no OS installed on the mSATA.

Protectli does not install a default OS onto the Vault so this is expected initial behavior.

Install an OS onto the Vault. There are instructions for many of the most popular open source firewalls, routers, network applications, Linux and Windows software packages on the Protectli Knowledge Base at this link.

  • Verify the installation completes successfully.

OS Installation Issues

Problems installing an OS are typically related to the specific OS image and/or the method used to create the installation image.

Specific instructions for many popular OS can be found on the Protectli Knowledge Base page at this link.

  • Verify that AMD 64 bit image type is selected, if image type selection is required, depending on the OS.
  • Verify that a VGA or COM/Serial port image is selected, if required, depending on the OS.
  • Follow the instructions on the Protectli Knowledge Base page at this link to create a bootable USB drive.

Can’t install OS via COM/Serial port

If an OS cannot be installed via the COM port:

  • Verify the COM port session has been configured correctly. See this link
  • Verify the image used for OS installation supports the COM port. Some OS installations require a specific image to use the COM port.

If the COM port session has been configured correctly and the correct image is used for OS installation and there are still issues, follow the instructions above for “No Video”.

Vault Crashes or Reboots            

If the Vault “crashes” or peforms erratically during boot up, installation, or while in service,

  • Follow the mSATA troubleshooting instructions above.
  • If issues continue, follow the DRAM troubleshooting instructions above
  • If issues continue, follow the CMOS reset instructions above
  • If issues continue, it may be due to a corrupt OS. If possible with the OS, save the configuration file. Reinstall the OS.
  • If issues continue, it is most likely a software OS problem. Common issues are typically posted to the support sites or forums for the specific OS.

Here are some of the support sites for the most common OS:

  • https://forum.pfsense.org/index.php
  • https://forums.freebsd.org
  • https://www.microsoft.com/en-us/itpro/windows/support
  • https://ubuntuforums.org
  • https://forum.vyos.io
  • https://forums.untangle.com
  • https://community.sophos.com
  • https://communities.vmware.com/welcome

No Network Connectivity

If an OS is installed and appears to operate correctly, but there is no network connectivity for one or more Ethernet ports, follow these instructions:

For all Ethernet ports:

  • Verify the Ethernet cable is properly connected between the Vault and a switch/router.
  • Verify the Green connectivity LED for the port is constantly illuminated.
  • Verify the Yellow activity LED is blinking

WAN port:

The default IP address on the WAN port for almost all OS is to get an IP address from a DHCP server.

  • Verify the connected switch/router/network is configured as a DHCP server to provide an IP address to the Vault.
  • Verify the OS that is installed recognizes a proper IP address on the WAN port.
  • An address of 169.254.10.1 or 169.254.XX.YY indicates that the IP address was generated automatically by the Vault because it was unable to get an IP address from a DHCP server.

LAN port:

Depending on the OS, the LAN port may get a default static IP address. As an example, pfSense® CE sets a static IP address to 192.168.2.1 and enables it as a DHCP server. FreeBSD automatically names the LAN port “em1” and sets a static IP address to 192.168.2.1 and enables it as a DHCP server.

  • Verify the OS that is installed recognizes a proper IP address on the LAN port.

OPT1-OPT3 ports:

Depending on the OS, the OPT ports are typically not configured as a default. Sometimes they can be configured during installation, but not always.

  • Verify the OS that is installed recognizes the OPT ports.
  • Verify the OS can configure the OPT ports for the proper IP configuration, static, DHCP, IPv4/IPv6, etc.

For all Ethernet ports, verify there are proper firewall rules in place to allow and or deny the desired traffic through the specified port.

More details for configuration of various OS that are compatible with the Vault can be found on the Protectli Knowledge Base page at this link.

Vault seems to be hot

Depending on the load and system activity, the external temperature of the Vault will vary. The Vault uses Intel devices that can monitor the temperature of the CPU, other components and the system. Many OS have the ability to display the temperature data in the dashboard or via other utilities. If running pfSense we have an article here which covers temperatures and a table showing max safe temps.

If the Vault seems hot,

  • Verify the temperature via the OS dashboard or other utility. CPU core temperatures in the 60’s C are not unusual for heavy load.
  • For the FW1, FW2, FW4A series, verify that the ventilation slots on the side of the unit are not blocked.
  • Verify adequate ventilation around the Vault
  • Verify the ambient temperature where the Vault is installed. Operating temperature is from 0 C to 50 C.

We expect that this troubleshooting guide has the information to resolve most common issues that occur with the Vault. However, if there are still unresolved issues, feel free to reach out to us at:

support@protectli.com