Cannot boot legacy models of ProxySG
Article ID: 185094
Updated On:
Products
Issue/Introduction
After December 6th 2018, customers who have specifically upgraded to SGOS 6.5.8.1 (but no higher) and are also using ProxySG appliances 300, 600, 900, 9000 or the Gen 1 Virtual appliances (SWG-V100) will potentially encounter a situation where they will not be able to boot their ProxySG system after December 6th 2018. Customers using these appliances need to confirm the version of their boot loader (instructions to do this are below) and upgrade to SGOS6.5.8.2 or later.
This excludes customers running earlier versions of SGOS and have never upgraded to 6.5.8.1. This also excludes the S-series appliances or Gen 2 virtual appliances (SG-VA). As part of the signature verification, the boot loader validates that the certificate used to sign boot images has not expired. The certificate used to sign all ProxySG system images will expire on December 6th 2018.
Customers who are running the ProxySG SGOS 6.5.8.1 will potentially encounter a situation where they will not be able to boot their ProxySG system after December 6th 2018.
If you are running version 5.8 of the boot loader on December 6th you will no longer be able to boot your ProxySG. Earlier or later versions of the boot loader are not affected.
Resolution
Action Required
Affected customers need to upgrade to SGOS 6.5.8.2 or later before December 6th, 2018. Upgrading to SGOS 6.5.8.2 or later will update the boot loader to version 5.10 or later.
Q: How do I identify my boot loader version?
A:Before December 6th, 2018, login to your ProxySG and in enable mode type the following command:
show installed-systems verbose
At the bottom of the output the Boot chain version will be displayed
Default system to run on next hardware restart: 1
System to replace next: 3
Current running system: 1
Enforce signed: Enabled
Boot_chain Version: v5.8
Alternatively, you can attach to your ProxySG Appliances serial console and reboot the appliance. As part of the appliance reboot the boot loader will print out its version. Here is the output of an affected system.
----------------------------------------------------
Blue Coat Boot v5.8.164198
This machine has the following SGOS systems:
1: Version: SGOS 6.5.8.1, Release id: 164435
Created: Tuesday February 28 2017 04:47:38 UTC
Last-boot: Tuesday November 20 15 2018 18:50:44 UTC, SUCCESS
Disk layout:Compatible
Attributes: Locked, FIPS capable
The default boot system is:
1: Version: SGOS 6.5.8.1, Release id: 164435 64-bit, optimized
Press the space key to select an alternate system to boot.
Seconds remaining until the default system is booted: 5
System number (d for diagnostic menu):
----------------------------------------------------
Customers need to upgrade their boot loader version to 5.10 or later.
Q: How do I upgrade my boot loader version?
A: Boot loader upgrades are contained within ProxySG System images, installing and booting a new version of a ProxySG system image which contains a new boot loader will automatically upload the boot loader.
Q: What Version of ProxySG system image do I need to install?
A: The following major versions contain a newer boot loader and will contain a boot loader upgrade. The below table shows which minimum version you can use to trigger the boot loader upgrade.
|
SGOS Major version |
Version to upgrade to |
|
6.5 |
6.5.8.2 or greater |
|
6.6 |
6.6.3.2 or greater |
|
6.7 |
Any 6.7 version |
Q: How do I know the boot loader has been updated?
A: After installing a new ProxySG system image you need to make sure that system image gets booted the act of booting it will trigger a boot loader upgrade, below is some example output.
----------------------------------------------------
Blue Coat Boot v5.8.164198
This machine has the following SGOS system:
>1: Version: SGOS 6.7.4.1, Release id: 226712
Created: Thursday October 25 2018 21:45:11 UTC
Last-boot:
Disk layout:Compatible
Attributes: Signed, FIPS capable
2: Version: SGOS 6.5.8.1, Release id: 164435
Created: Tuesday February 28 2017 04:47:38 UTC
Last-boot: Tuesday November 20 15 2018 18:50:44 UTC, SUCCESS
Disk layout:Compatible
Attributes: Locked, FIPS capable
The default boot system is:
1: Version: SGOS 6.7.4.1, Release id: 226712
Press the space key to select an alternate system to boot.
Seconds remaining until the default system is booted: 543210
Booting Version: SGOS 6.7.4.1, Release id: 226712
Updating boot chain...has succeeded
Rebooting...
----------------------------------------------------
Blue Coat Boot v5.16.192560
This machine has the following SGOS system:
>1: Version: SGOS 6.7.4.1, Release id: 226712
Created: Thursday October 25 2018 21:45:11 UTC
Last-boot:
Disk layout:Compatible
Attributes: Signed, FIPS capable
2: Version: SGOS 6.5.8.1, Release id: 164435
Created: Tuesday February 28 2017 04:47:38 UTC
Last-boot: Tuesday November 20 15 2018 18:50:44 UTC, SUCCESS
Disk layout:Compatible
Attributes: Locked, FIPS capable
The default boot system is:
1: Version: SGOS 6.7.4.1, Release id: 226712
Press the space key to select an alternate system to boot.
Seconds remaining until the default system is booted: 543210
Booting Version: SGOS 6.7.4.1, Release id: 226712
----------------------------------------------------
Q: What system image versions had the affected boot loader?
A: Only ProxySG 6.5.8.1 contains version 5.8 of the boot loader, if you are running this build you may be affected. However if your appliance was downgraded from a newer ProxySG version that contained a newer boot loader, it may have already been upgraded to a fixed version. You can verify which boot loader you are using by using the “show installed-systems verbose” command from the command line
Feedback
