Using Director to copy a configuration from one ProxySG to many others without copying the SSL keyrings


Article ID: 167106


Updated On:


Mobility Threat Protection Director


Each ProxySG appliance contains a SSL keyring certificate in its configuration backup.  This aricle shows how you can seperate the SSL Keyring certificate information from the configuration backup, thereby not pushing out configurations that do not contain unique certificates.


NOTE: This article does not expose your appliance birth certificate in the backups. They are never exposed in any text related file on the SG, or Director.  To renew this, you need to RMA the device.

NOTE: This solution has two main steps to it. We assume you already have a created profile you want to push out:

  1. Creating a overlay that includes a unique SSL keyring certificate.
  2. The creation of a job to push the golden profile out, followed by each of the SSL related overlays.

1: Procedure to create overlay for each ProxySG with its SSL certificates

  • Select the Configure tab of the Director Management Console (DMC).
  • Select a device that you will want to use in order to create overlay with SSL Certificates.
  • Click on the link “Launch Backup Manager” in Device Summary pane. (Screenshot below)




  • It will launch the Device Backup Manager dialog.
  • Click on the Create button and click on Yes in Create Backup confirmation dialog to create a backup. (Screenshot below)


  • Once backup creation is completed, click on the “View Contents >>” button at the bottom of the dialog.
  • This will populate the “Backup Contents” pane with the ProxySG's configuration. (Screenshot below)

  • Copy the text starting from the !- BEGIN ssl marker to !- END ssl marker from the Backup Contents text area and click on the “Close” button. (Screenshot below)

  • On the Configuration tab, select Overlays in the show drop down box of the Configuration Library pane. 
  • Click on the New button at the bottom and select the overlay to create new overlay.

  • This will dispay “Create new Overlay” dialog.
  • Provide a name to the overlay and click on the “Using CLI” radio button in “Add to overlay” section”.
  • This will launch “Add commands to add to the overlay” dialog, paste the text that you have copied from the backup above into the textbox.

  • Click on OK and again click on OK in “Create new overlay” dialog to create overlay.
  • Now you have overlay with the SSL certificates.

NOTE:  You will need to repeat these steps for each ProxySG, creating a unique overlay file for all of them.

2: Creating a job to push the Golden profile out with each SSL overlay.

  • Select the “Jobs” tab of the DMC
  • Click on the New button and Select config job. (Screenshot below)


  • That will launch the “Create a new Job” dialog, provide the name for the job and Click on the “Actions” tab.
  • Click on the “New” button on bottom of the dialog to create a new action.
  • Select the “Push Profile” action in the Action dropdown menu. (Screenshot below )


  • Select Profile that you want to push to the ProxySG in the Profile drop down and click on the “Select Target Devices” ellipse button and select the Group or Device or All that you want to push.
  • Click on Apply.  This will create the Push Profile action in the job. (Screenshot below )




  • Next, create the actions to push the corresponding SSL overlay to the ProxySGs.
  • Click on the New button to create a new action and select the Push Overlay action in the Action dropdown list.


  • Select the SSL overlay that you want to push to this ProxySG in the Overlay drop down down.
  • Select the corresponding ProxySG using the “Select target devices(s)” ellipse button and click on the Apply button to create the Push Overlay action.

NOTE: Repeat the above steps to create the Push Overlay actions to all ProxySG to push SSL overlays to, as seen in the screenshot below.


NOTES:  After creating all actions, select the OK to create each Job.  If you execute the created job first it will push the profile to the ProxySGs and after that it will start pushing to the SSL overlays to corresponding ProxySGs.