This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall Home registration assistance... trying to upgrade to newer hardware

SF01V (SFOS 17.0.6 MR-6) << booted and loaded unable to register

Tried newest firmware ISO ...

SW-17.5.12_MR-12-664 downloaded iso but boots with no bootable device on this new hardware.

New Hardware: Intel i7 8550U 8GB DDR4 RAM dual Intel NICs Sata 160GB hard disk... VT-x is set in BIOS
BIOS is American Megatrend

I am trying to upgrade my hardware and continue running XG Firewall Home
that I have running on very old Pentium4 ver: SFVH (SFOS 17.5.11 MR-11.HF051220.1)

I have tried registering the new hardware running SFVH (SFOS 17.5.11 MR-11.HF051220.1)
with a new serial number and it fails:

Failed to connect to the registration service
To register, you require an Internet connection, and must be able to connect to the following address:
https://www.sophos.com/

Registration has failed. Error Code:

Operation failed due to an unknown error. Please contact Support.

This could be a problem with the local connection or between your firewall and the server. Your options are:

Shows connected to the Internet as well...

I had the new FW behind my current with a rule to not scan no IPS no Web Filter no App controls.

License log

INFO May 13 08:44:31 [0]: --requestType = 1
INFO May 13 08:44:31 [0]: --serial = C01001RTVM*****
INFO May 13 08:44:31 [0]: --deviceid = 3527a95f-13ef-4f39-984f-f6e30eed****
INFO May 13 08:44:31 [0]: --model = SF01V
INFO May 13 08:44:31 [0]: --vendor = SO01
INFO May 13 08:44:31 [0]: --upgradedFrom = 0
INFO May 13 08:44:31 [0]: --fwversion = 17.0.6.181
INFO May 13 08:44:31 [0]: --cert = /_conf/certificate/licensing/mfgr_vendor_SO.pem
INFO May 13 08:44:31 [0]: --token = Token-Id:SO-D5C052A8
INFO May 13 08:44:31 [0]: --key = /_conf/certificate/licensing/mfgr_vendor_SO.key
INFO May 13 08:44:31 [0]: URL : eu-prod-utm.soa.sophos.com/.../applianceactivation
INFO May 13 08:44:31 [0]: request : { "serialNumber": "C01001RTVM*****", "deviceId": "3527a95f-13ef-4f39-984f-f6e30eed****", "model": "SF01V", "deviceFirmwareVersion": "17.0.6.181", "vendorCode": "SO01" }
INFO May 13 08:44:43 [0]: response : {"errorCode":"ITSERVICELAYER_CLIENT_AUTHENTICATION_ERROR", "message":"IIS error: HTTP 403.0 - Forbidden", "statusCode": 403}
ERROR May 13 08:44:43 [0]: Activation Failed : IIS error: HTTP 403.0 - Forbidden
ERROR May 13 08:44:43 [0]: licensing_do_activation() : parsing failed...

This thread was automatically locked due to age.

Parents

0 Vishal_R over 5 years ago

Hi Rick Dunn

As per your issue description the new hardware SFVH (SFOS 17.5.11 MR-11.HF051220.1) having an issue with registration fails.

But the license.log which you have pasted here seems to be from SF01V (SFOS 17.0.6 MR-6).

INFO May 13 08:44:31 [0]: --upgradedFrom = 0
INFO May 13 08:44:31 [0]: --fwversion = 17.0.6.181

Is this logs belongs to old hardware or the new one running with (SFOS 17.5.11 MR-11.HF051220.1)?

If possible then provide direct Internet to device SFVH (SFOS 17.5.11 MR-11.HF051220.1) rather then keeping it behind another one and check the registration status and share the logs in this scenario if the issue persist.
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Dunn over 5 years ago in reply to Vishal_R

I did try this direct connected to the cable modem before I got the Serial Number registered under my account last night, see below. I can try again this evening...

The new hardware only boots from the old firmware, the new firmware says no bootable device... hoping to get this registed on this firmware and upgrade over the web process.

INFO May 12 22:27:33 [0]: --requestType = 1
INFO May 12 22:27:33 [0]: --serial = C01001RTVM*****
INFO May 12 22:27:33 [0]: --deviceid = 8b8bc4b6-3a25-48a8-8311-39374790****
INFO May 12 22:27:33 [0]: --model = SF01V
INFO May 12 22:27:33 [0]: --vendor = SO01
INFO May 12 22:27:33 [0]: --upgradedFrom = 0
INFO May 12 22:27:33 [0]: --fwversion = 17.0.6.181
INFO May 12 22:27:33 [0]: --cert = /_conf/certificate/licensing/mfgr_vendor_SO.pem
INFO May 12 22:27:33 [0]: --token = Token-Id:SO-D5C0****
INFO May 12 22:27:33 [0]: --key = /_conf/certificate/licensing/mfgr_vendor_SO.key
INFO May 12 22:27:33 [0]: URL : eu-prod-utm.soa.sophos.com/.../applianceactivation
INFO May 12 22:27:33 [0]: request : { "serialNumber": "C01001RTVM22331", "deviceId": "8b8bc4b6-3a25-48a8-8311-39374790****", "model": "SF01V", "deviceFirmwareVersion": "17.0.6.181", "vendorCode": "SO01" }
INFO May 12 22:27:34 [0]: response : {"errorCode":"ITSERVICELAYER_CLIENT_AUTHENTICATION_ERROR", "message":"IIS error: HTTP 403.0 - Forbidden", "statusCode": 403}
ERROR May 12 22:27:34 [0]: Activation Failed : IIS error: HTTP 403.0 - Forbidden
ERROR May 12 22:27:34 [0]: licensing_do_activation() : parsing failed...
INFO May 12 22:27:51 [0]: --requestType = 1
INFO May 12 22:27:51 [0]: --deviceid = b8be52ec-ee00-4509-9eee-558d2c3f****
INFO May 12 22:27:51 [0]: --model = SF01V
INFO May 12 22:27:51 [0]: --vendor = SO01
INFO May 12 22:27:51 [0]: --upgradedFrom = 1
INFO May 12 22:27:51 [0]: --fwversion = 17.0.6.181
INFO May 12 22:27:51 [0]: --cert = /_conf/certificate/licensing/mfgr_vendor_SO.pem
INFO May 12 22:27:51 [0]: --token = Token-Id:SO-D5C0****
INFO May 12 22:27:51 [0]: --key = /_conf/certificate/licensing/mfgr_vendor_SO.key
INFO May 12 22:27:51 [0]: URL : eu-prod-utm.soa.sophos.com/.../applianceactivation
INFO May 12 22:27:51 [0]: request : { "deviceId": "b8be52ec-ee00-4509-9eee-558d2c3f****", "model": "SF01V", "deviceFirmwareVersion": "17.0.6.181", "vendorCode": "SO01", "upgradedFrom": "SOPHOS" }
INFO May 12 22:27:52 [0]: response : {"errorCode":"ITSERVICELAYER_CLIENT_AUTHENTICATION_ERROR", "message":"IIS error: HTTP 403.0 - Forbidden", "statusCode": 403}
ERROR May 12 22:27:52 [0]: Activation Failed : IIS error: HTTP 403.0 - Forbidden
ERROR May 12 22:27:52 [0]: licensing_do_activation() : parsing failed...
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Dunn over 5 years ago in reply to Rick Dunn

Has there been a change on the licensing back end to disable firmware version : 17.0.6.181 the ability to register??
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Rick Dunn

Hi,

please check the time of your XG.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Dunn over 5 years ago in reply to rfcat_vk

I was looking over the licensing.log file and also checked the /_conf/certificate/licensing/mfgr_vendor_SO.pem used to encrypt the conversation ( SSL ) for the update/registration and I find the Cert has expired on the 17.0.6 MR-6 version I have booted from ...

SF01V_SO01_SFOS 17.0.6 MR-6# more /_conf/certificate/licensing/mfgr_vendor_SO.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos Ltd., OU=NSG, CN=Sophos Firewall Content/Licensing CA/emailAddress=updates@sophos.com
Validity
Not Before: Apr 27 05:09:54 2015 GMT
Not After : Apr 26 05:09:54 2020 GMT <<<<<< expired >>>>>>

... Is it possible to update the cert on this build to allow me to properly register my install ? if so please provide the method...

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Rick Dunn

Hi Rick,

I can't answer you on the renewal but you could try regenerating the certificate on the XG and see what happens.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Dunn over 5 years ago in reply to rfcat_vk

How do I regenerate this cert? Need the command(s) syntax to do so...
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Rick Dunn

Hi Rick,

you go to Certificates -> certificate authorities -> SecurityApplicance_SSL_CA -> the cogged wheel will regenerate.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Dunn over 5 years ago in reply to rfcat_vk

OK we are getting closer to resolving this however .. I did run the Cert Update thru the cogged wheel ... It is showing updated in the GUI, pic attached... I rebooted the FW .. retried and failed. Is there another procedure to get the cert being used for registration to use the updated cert??

In the advanced console I checked the logs and cert and the cert being used for the registration did not get the update..

INFO May 14 06:32:05 [0]: --token = Token-Id:SO-D5C0****
INFO May 14 06:32:05 [0]: --key = /_conf/certificate/licensing/mfgr_vendor_SO.key
INFO May 14 06:32:05 [0]: URL : eu-prod-utm.soa.sophos.com/.../applianceactivation
INFO May 14 06:32:05 [0]: request : { "serialNumber": "C01001MX9QP3GA1", "deviceId": "658f3498-47d7-4f8a-9c40-f7888c4*****", "model": "SF01V", "deviceFirmwareVersion": "17.0.6.181", "vendorCode": "SO01" }
INFO May 14 06:32:06 [0]: response : {"errorCode":"ITSERVICELAYER_CLIENT_AUTHENTICATION_ERROR", "message":"IIS error: HTTP 403.0 - Forbidden", "statusCode": 403}
ERROR May 14 06:32:06 [0]: Activation Failed : IIS error: HTTP 403.0 - Forbidden
ERROR May 14 06:32:06 [0]: licensing_do_activation() : parsing failed...

~
SF01V_SO01_SFOS 17.0.6 MR-6# more /_conf/certificate/licensing/mfgr_vendor_SO.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos Ltd., OU=NSG, CN=Sophos Firewall Content/Licensing CA/emailAddress=updates@sophos.com
Validity
Not Before: Apr 27 05:09:54 2015 GMT
Not After : Apr 26 05:09:54 2020 GMT
Subject: C=GB, ST=Oxfordshire, O=Sophos Ltd., OU=NSG, CN=SF_Manufacturer_6/emailAddress=sf_manufacturer_6@sophos.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Rick Dunn

Hi Rick

Please read through this forum thread it might provide some information.

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/120338/problems-with-appliance-cert-change-to-a-new-one

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 5 years ago in reply to Rick Dunn

Hi Rick

Please read through this forum thread it might provide some information.

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/120338/problems-with-appliance-cert-change-to-a-new-one

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Rick Dunn over 5 years ago in reply to rfcat_vk

rfcat_vk said:

Hi Rick

Please read through this forum thread it might provide some information.

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/120338/problems-with-appliance-cert-change-to-a-new-one

Ian

Thanks for the link.. I am trying to get the Appliance Cert updated to use a valid SSL cert for registration... this link alludes to using a custom SSL appliance Cert.

I updated the SecurityAppliance_SSL_CA via web GUI however the Cert being used to register wasn't updated during that procedure.

I also updated the appliance cert...

I did follow the link SYSTEM -> Administration -> Port Settings for Admin Console .. Certificate drop-down ( Only has ApplianceCertificate ) and chose apply... Going to reboot again to see if that updates the

/_conf/certificate/licensing/ folder to reflect the certs for the device... until this is updated I don't believe I can get this box registered... Or am I wrong???
Cancel
Vote Up 0 Vote Down

Cancel