Cannot boot legacy models of ProxySG

book

Article ID: 185094

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

After December 6th 2018, customers who have specifically upgraded to SGOS 6.5.8.1 (but no higher) and are also using ProxySG appliances 300, 600, 900, 9000 or the Gen 1 Virtual appliances (SWG-V100) will potentially encounter a situation where they will not be able to boot their ProxySG system after December 6th 2018. Customers using these appliances need to confirm the version of their boot loader (instructions to do this are below) and upgrade to SGOS6.5.8.2 or later.

This excludes customers running earlier versions of SGOS and have never upgraded to 6.5.8.1. This also excludes the S-series appliances or Gen 2 virtual appliances (SG-VA).  As part of the signature verification, the boot loader validates that the certificate used to sign boot images has not expired. The certificate used to sign all ProxySG system images will expire on December 6th 2018.

Customers who are running the ProxySG SGOS 6.5.8.1 will potentially encounter a situation where they will not be able to boot their ProxySG system after December 6th 2018.

If you are running version 5.8 of the boot loader on December 6th you will no longer be able to boot your ProxySG. Earlier or later versions of the boot loader are not affected.

Resolution

Action Required

Affected customers need to upgrade to SGOS 6.5.8.2 or later before December 6th, 2018. Upgrading to SGOS 6.5.8.2 or later will update the boot loader to version 5.10 or later.

Q: How do I identify my boot loader version? 

A:Before December 6th, 2018, login to your ProxySG and in enable mode type the following command:

show installed-systems verbose

At the bottom of the output the Boot chain version will be displayed

Default system to run on next hardware restart: 1

System to replace next: 3

Current running system: 1

Enforce signed: Enabled

Boot_chain Version: v5.8

Alternatively, you can attach to your ProxySG Appliances serial console and reboot the appliance. As part of the appliance reboot the boot loader will print out its version. Here is the output of an affected system. 


----------------------------------------------------
Blue Coat Boot v5.8.164198                                   
                                                                                
This machine has the following SGOS systems:

 1: Version: SGOS 6.5.8.1, Release id: 164435
    Created:    Tuesday February 28 2017 04:47:38 UTC
    Last-boot:  Tuesday November 20 15 2018 18:50:44 UTC, SUCCESS
    Disk layout:Compatible
    Attributes: Locked, FIPS capable

The default boot system is:
  1: Version: SGOS 6.5.8.1, Release id: 164435 64-bit, optimized

Press the space key to select an alternate system to boot.

Seconds remaining until the default system is booted: 5
System number (d for diagnostic menu): 
----------------------------------------------------

Customers need to upgrade their boot loader version to 5.10 or later. 


Q: How do I upgrade my boot loader version?

A: Boot loader upgrades are contained within ProxySG System images, installing and booting a new version of a ProxySG system image which contains a new boot loader will automatically upload the boot loader.


Q: What Version of ProxySG system image do I need to install?

A: The following major versions contain a newer boot loader and will contain a boot loader upgrade. The below table shows which minimum version you can use to trigger the boot loader upgrade.

SGOS Major version

Version to upgrade to

6.5

6.5.8.2 or greater

6.6

6.6.3.2 or greater

6.7

Any 6.7 version

 

Q: How do I know the boot loader has been updated?

A: After installing a new ProxySG system image you need to make sure that system image gets booted the act of booting it will trigger a boot loader upgrade, below is some example output.


----------------------------------------------------
Blue Coat Boot v5.8.164198

This machine has the following SGOS system:

>1: Version: SGOS 6.7.4.1, Release id: 226712
    Created:    Thursday October 25 2018 21:45:11 UTC
    Last-boot:  
    Disk layout:Compatible
    Attributes: Signed, FIPS capable

   2:  Version: SGOS 6.5.8.1, Release id: 164435
         Created:    Tuesday February 28 2017 04:47:38 UTC
         Last-boot:  Tuesday November 20 15 2018 18:50:44 UTC, SUCCESS
         Disk layout:Compatible
         Attributes: Locked, FIPS capable

The default boot system is:
 1: Version: SGOS 6.7.4.1, Release id: 226712

Press the space key to select an alternate system to boot.

Seconds remaining until the default system is booted: 543210

Booting Version: SGOS 6.7.4.1, Release id: 226712
Updating boot chain...has succeeded
Rebooting...
----------------------------------------------------

Blue Coat Boot v5.16.192560

This machine has the following SGOS system:

>1: Version: SGOS 6.7.4.1, Release id: 226712
    Created:    Thursday October 25 2018 21:45:11 UTC
    Last-boot:  
    Disk layout:Compatible
    Attributes: Signed, FIPS capable

   2:  Version: SGOS 6.5.8.1, Release id: 164435
         Created:    Tuesday February 28 2017 04:47:38 UTC
         Last-boot:  Tuesday November 20 15 2018 18:50:44 UTC, SUCCESS
         Disk layout:Compatible
         Attributes: Locked, FIPS capable

The default boot system is:
 1: Version: SGOS 6.7.4.1, Release id: 226712

Press the space key to select an alternate system to boot.

Seconds remaining until the default system is booted: 543210

Booting Version: SGOS 6.7.4.1, Release id: 226712
----------------------------------------------------

Q: What system image versions had the affected boot loader?

A: Only ProxySG 6.5.8.1 contains version 5.8 of the boot loader, if you are running this build you may be affected. However if your appliance was downgraded from a newer ProxySG version that contained a newer boot loader, it may have already been upgraded to a fixed version. You can verify which boot loader you are using by using the “show installed-systems verbose” command from the command line