Host key validation is a feature of the SSH protocol. Host key validation is designed to prevent devices from impersonating legitimate servers in an attempt to steal credentials and data (man-in-the-middle attack). To prevent such attacks, each device has a unique host key that can be used to establish the identity of the host. If a device supports it, Symantec recommends that you enable host key validation because the method can warn you of a man-in-the-middle attack. In that case, Management Center notes that host verification failed and prompts you to verify the SSH host
fingerprint.
For the "Host Verification Failed" error received, for adding ASG/ProxySG to MC, please, see the below.
If the preview is 1024 bytes and the origin response is 1025 bytes (and the ICAP server responds with 100-continue), then these chunks would appear on the wire:
You can verify the host fingerprint using one of the following methods:
# ssh-keygen -l -e sha256 -f /tmp/hostkeyThe system displays the host key.
From the Management Center, ensure to select the "System-defined: default" SSL Context Override option, to have the "Host Key Validation" error resolved. See snippet below, for the expected settings.
Ensure the device name is unique (not the same used in the previous device add, for the same appliance). Do not forget to click the "Save" button.
Device has now been successfully added to the MC, using the public key. See snippet below.
It should be noted that if port 8082 is used to manage devices, it does not have the same access level as port 22 (because of the enable password in CLI), and as such, certain operations such as executing scripts from Management Center to either Content Analysis System or ProxySG may fail with "Invalid Credentials" error. This is especially common if an older release of Content Analysis System was upgraded to a newer release, as on older releases of CAS an enable password was not mandatory.