Validate SGOS system image and bootchain using "show installed-systems verbose" command

book

Article ID: 168506

calendar_today

Updated On:

Products

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

SGOS 6.5.7.5 and later includes a way for you to validate your SGOS system image and bootchain on the ProxySG appliance. After you upgrade to SGOS 6.5.7.5 or later, you can use the show installed-systems verbose CLI command to display the image signature. You can then compare the signature displayed for each release against a list of valid signatures posted on MySymantec.

Important: This method is available for the ProxySG 300, 600, 810, 900, 9000, S-Series, MACH5 VA, and SWG VA platforms. In addition,  the show installed-system verbose output does not always display system image signatures for releases prior to SGOS 6.5.x. In certain releases (in SGOS 6.6.x, this applies to 6.6.5.17 and later, and in SGOS 6.7.x, to 6.7.4.141 and later), the show installed-system verbose command does not display image signatures because the boot loader automatically verifies the signature during the boot process. The signatures on the MySymantec  that you can use for comparison are available only for SGOS 6.5.x and later releases.

Step 1: Upgrade SGOS

If you have already upgraded to SGOS 6.5.7.5 or later, proceed to Step 2: Compare Signatures.

  1. Log in to MySymantec with your username and password.
  2. Click Network Protection (Blue Coat) Downloads.
  3. In the Browse My Software and Documentation table, click ProxySG. Then, select your platform/product model.
  4. Select the release and agree to the terms. 
  5. Download and read the SGOS Release Notes for this specific release. In addition, refer to the SGOS Upgrade/Downgrade Guide to determine that your upgrade path is supported.
  6. Download the system image. 
  7. Upgrade SGOS. 

Step 2: Compare Signatures

For each system image you want to validate, compare the value in the signature file with the value in CLI output.

  1. If needed, log in to MySymantec again and locate the release. Look for the signature file (SGOS_signatures.txt).
  2. Download and open the signature file.
  3. Locate the bootchain signatures near the top of the file. Below the bootchain signatures, look for the system image signatures on a line that corresponds to an SGOS release.
  4. Log in to the ProxySG CLI and type the following command: > show installed-systems verbose
  5. In the command output, look for the image you want to verify and note the Signature: value. If it matches the value in the signature file, it is valid. Refer to the "Sample CLI Output" section in this article for an example. If the value does not match, contact Symantec Technical Support. 
  6. Repeat the previous steps for each image that you want to validate.
Note: The Boot_chain Signature: and Boot_chain Version: values indicate the bootchain's signature and version. If you run the command on the 810 platform, the Boot_chain values are empty.

Sample CLI output

> show installed-systems verbose
ProxySG Appliance Systems
1. Version: SGOS 6.5.7.5, Release ID: 157094
   Saturday May 2 2015 09:12:21 UTC,
   Attributes: Signed, FIPS capable
   Boot Status: Last boot succeeded, Last Successful Boot: Tuesday May 5 2015 12:56:55 UTC
   Disk Layout: Compatible
   Signature: 8527623d006f290ac74e2f8cd4c75d4bf7e9c537
   ...
Default system to run on next hardware restart: 2
System to replace next: 5
Current running system: 2
Enforce signed: Enabled
Boot_chain Signature: <signature>
Boot_chain Version: <version>
 

Resolution