PDA

View Full Version : HFA_40 and EDGE boxes



cosmo.xeon
2009-03-19, 21:11
Hi guys,

I had this lock out problem with the edge boxes deployed on various sites across the state after I pushed out the policy from the newly HFA_40 patched management box.

1) After the policy push, the smartview tracker didn't show any logs for those edge boxes.

2) I was not able to ping or ssh to the box despite the rules allowing me to do so.

3) when physically connecting the laptop to the lan interface of the box, I was unable to https to it.

4) I had to hard reset the box to factory defaults to go on any further.

It ended up in rolling back the HFA_40 patch from the management box.

The firmware version for all the edge boxes is 5.0.82x for consistency in the enterprise.

Any help in this will be highly appreciated as I was unable to check the logs as the box was completely numb.

Regards.

danjun
2009-03-23, 08:05
NGX (R65) HFA_40 adds support for the major firmware version 8.x
NGX (R65) HFA_40 brings in all the functions that come with NGX (R70).
Both, NGX (R65) HFA_40 and NGX (R70) come with libsw version 8.0.36x as default firmware version.
NGX (R70) release notes clearly state "R70 Security Management can manage UTM-1 Edge devices with firmware 7.5 and up. Earlier firmware is not supported. "

--

The error you encountered is that you used a long unsupported firmware released in the summer of 2005 and compiled a security policy with NGX (R65) HFA_40 and libsw (SofaWare libraries on your SmartCenter Server) version 8.0.36x for them. This doesn't work, is unsupported and not recommended at all.

Just update all your Edges and the libsw files to 8.0.37x, install the security policy for your Edges and you'll be happy again.

msjouw
2009-03-23, 08:18
V 5.0 is really old, your best bet is to move to 7.5 or even 8.0 if you can get that past your companies policy.
Even if you have the older devices that compare to the IP40 and IP45 they have older firmware in them that is no longer supported with the 8.x libsw. You can copy the 7.5.55 Libsw to them and push the policy that will support the older firmwares.
To disconnect the Edge from the Smartcenter and unload the policy that locks you out go to the Edge object in SmartDashboard and in the Advanced tab you will see the Script field, this will allow you to send a command to the Edge, try this command: set smp connect disable (older boxes require set service-center connect disable)
This will allow you back in and then you could do an upgrade of the firmware and reconnect to the SAmartcenter when you made the appropriate changes.

cosmo.xeon
2009-04-01, 00:48
Thanks Guys, I tried the firmware upgrade on a test box and pushed a no of policies, all working good.

Thanks ....