Jump to content


Photo

Certificate Store is missing

certificate ssl inspection certificate store

Best Answer bpoindexter, 27 November 2019 - 09:34 AM

I made some progress on this, though it has created new issues.

 

Just to paint the picture fully, where I started was with upgrading firmware on my CC and all my firewalls to newest version: 8.0.1-0383.  This was coming from firewalls mostly on 7.1 with one of them on 7.2, and with CC on 7.0.  I am 100% sure this is done on my firewalls.  I *think* its done on my CC, I know that if I login to CC firewall it states 8.0.1-0383 as its firmware version.  Our CC is deployed as a Hyper-V VM, in case that matters.

 

My initial issue with having 'nothing to migrate' did appear to be CC related.  After I upgraded its firmware, I was given the option to migrate my cluster from 7.0 to 7.1, which I did.  After that was successfully done, I was given the option to migrate the cluster from 7.1 to 7.2, which again I did.  At this point you'd assume I'd have the option to go to 8.0 on the cluster, but I do not.

 

I also have a new problem.  When editing firewall rules in CC for one of my managed firewalls, I get a notice stating: Ruleset has feature level 7.2.  Firmware version is 7.0.2-094.  Some features of this ruleset may be disabled.

 

That seems to be a patently incorrect statement.  Firmware version 100% is 8.0.1-0383 at this point, verified multiple times.  If I go under Settings -> Setup in firewall rules, it does indicate feature level is at 7.2, so that much seems right.

 

The only thing I can figure is that I've somehow upgraded the CC to 8.0.1 but it's still treating the firewalls as if they're on a version 7 release.  I can't find any setting for anything like that.

 

Need to update this.  I ran Firewall Admin on a different workstation and stopped getting the ruleset error...that seems to be a computer specific problem and not an issue in the CC or the firewalls at this point.  Firewall Admin on the other workstation also gives me the option to bump my cluster to 8.0 if I choose to, so there's definitely an issue with that particular workstation.  I don't care enough about that issue to really pursue it further.

 

On a positive note, I do have the certificate store and ssl inspection options, which is what I started this process for in the first place.  I have not decided if I'm going to go ahead and bump my cluster to 8.0 yet or not, but the goal getting access to SSL inspection and certificate store has been achieved, so I consider this issue solved and closed.

Go to the full post


  • Please log in to reply
9 replies to this topic

#1 bpoindexter

bpoindexter
  • Members
  • 9 posts

Posted 15 November 2019 - 03:55 PM

We have 6 firewalls managed by a Control Center.  The following document lists multiple locations that a Certificate Store should be listed: https://campus.barra...tificate-store/

 

The Certificate Store option appears in none of the documented locations, nor does it appear anywhere else I can find.  What do I need to do to fix this?



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 15 November 2019 - 04:06 PM

Are you definitely running the correct firmware version (7.2.x or higher) on your CC and your firewalls, and have migrated the appropriate cluster(s) to the 7.2 release?



#3 bpoindexter

bpoindexter
  • Members
  • 9 posts

Posted 15 November 2019 - 04:21 PM

Most of our firewalls are on 7.1.  I can upgrade the firmware easily enough.  We only have one cluster, how do I go about migrating it?



#4 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 16 November 2019 - 04:05 AM

The Certificate Store is a 7.2 feature, and the link you provided was to the 7.2 documentation, so that's your issue.

 

If I remember correctly then the correct procedure for upgrading managed firewalls is:

 

* Upgrade your Control Center to the latest 7.2 release

* Use the Firmware Update feature to upgrade all of your managed firewalls to the same 7.2 release

* Use the Firmware Update feature to install any applicable hotfixes 

* Using the Control Center Configuraton Tree, right click your cluster and do "Migrate", choosing 7.2 when it asks you for a target release

* Your current 7.1 configuration will be upgraded to 7.2 - note that this may change some default settings, so before activating the change you should quickly review the settings to make sure nothing major has changed that could cause you problems

* Once you're happy that the configuration is sensible, activate the changes and the new 7.2 configuration should be pushed out to your 7.2 boxes, including any new changes you want to make to the new Certificate Store configuration 



#5 bpoindexter

bpoindexter
  • Members
  • 9 posts

Posted 26 November 2019 - 04:59 PM

The Certificate Store is a 7.2 feature, and the link you provided was to the 7.2 documentation, so that's your issue.

 

If I remember correctly then the correct procedure for upgrading managed firewalls is:

 

* Upgrade your Control Center to the latest 7.2 release

* Use the Firmware Update feature to upgrade all of your managed firewalls to the same 7.2 release

* Use the Firmware Update feature to install any applicable hotfixes 

* Using the Control Center Configuraton Tree, right click your cluster and do "Migrate", choosing 7.2 when it asks you for a target release

* Your current 7.1 configuration will be upgraded to 7.2 - note that this may change some default settings, so before activating the change you should quickly review the settings to make sure nothing major has changed that could cause you problems

* Once you're happy that the configuration is sensible, activate the changes and the new 7.2 configuration should be pushed out to your 7.2 boxes, including any new changes you want to make to the new Certificate Store configuration 

 

When I right click the cluster and select Migrate Cluster, I get an error message that says "Nothing to migrate".



#6 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 27 November 2019 - 06:21 AM

That sounds like your Control Center is still running 7.1, and the "nothing to migrate" is showing because the Control Center doesn't know about any newer firmware releases. Did you definitely upgrade that?



#7 bpoindexter

bpoindexter
  • Members
  • 9 posts

Posted 27 November 2019 - 09:28 AM

That sounds like your Control Center is still running 7.1, and the "nothing to migrate" is showing because the Control Center doesn't know about any newer firmware releases. Did you definitely upgrade that?

 

I made some progress on this, though it has created new issues.

 

Just to paint the picture fully, where I started was with upgrading firmware on my CC and all my firewalls to newest version: 8.0.1-0383.  This was coming from firewalls mostly on 7.1 with one of them on 7.2, and with CC on 7.0.  I am 100% sure this is done on my firewalls.  I *think* its done on my CC, I know that if I login to CC firewall it states 8.0.1-0383 as its firmware version.  Our CC is deployed as a Hyper-V VM, in case that matters.

 

My initial issue with having 'nothing to migrate' did appear to be CC related.  After I upgraded its firmware, I was given the option to migrate my cluster from 7.0 to 7.1, which I did.  After that was successfully done, I was given the option to migrate the cluster from 7.1 to 7.2, which again I did.  At this point you'd assume I'd have the option to go to 8.0 on the cluster, but I do not.

 

I also have a new problem.  When editing firewall rules in CC for one of my managed firewalls, I get a notice stating: Ruleset has feature level 7.2.  Firmware version is 7.0.2-094.  Some features of this ruleset may be disabled.

 

That seems to be a patently incorrect statement.  Firmware version 100% is 8.0.1-0383 at this point, verified multiple times.  If I go under Settings -> Setup in firewall rules, it does indicate feature level is at 7.2, so that much seems right.

 

The only thing I can figure is that I've somehow upgraded the CC to 8.0.1 but it's still treating the firewalls as if they're on a version 7 release.  I can't find any setting for anything like that.



#8 bpoindexter

bpoindexter
  • Members
  • 9 posts

Posted 27 November 2019 - 09:34 AM   Best Answer

I made some progress on this, though it has created new issues.

 

Just to paint the picture fully, where I started was with upgrading firmware on my CC and all my firewalls to newest version: 8.0.1-0383.  This was coming from firewalls mostly on 7.1 with one of them on 7.2, and with CC on 7.0.  I am 100% sure this is done on my firewalls.  I *think* its done on my CC, I know that if I login to CC firewall it states 8.0.1-0383 as its firmware version.  Our CC is deployed as a Hyper-V VM, in case that matters.

 

My initial issue with having 'nothing to migrate' did appear to be CC related.  After I upgraded its firmware, I was given the option to migrate my cluster from 7.0 to 7.1, which I did.  After that was successfully done, I was given the option to migrate the cluster from 7.1 to 7.2, which again I did.  At this point you'd assume I'd have the option to go to 8.0 on the cluster, but I do not.

 

I also have a new problem.  When editing firewall rules in CC for one of my managed firewalls, I get a notice stating: Ruleset has feature level 7.2.  Firmware version is 7.0.2-094.  Some features of this ruleset may be disabled.

 

That seems to be a patently incorrect statement.  Firmware version 100% is 8.0.1-0383 at this point, verified multiple times.  If I go under Settings -> Setup in firewall rules, it does indicate feature level is at 7.2, so that much seems right.

 

The only thing I can figure is that I've somehow upgraded the CC to 8.0.1 but it's still treating the firewalls as if they're on a version 7 release.  I can't find any setting for anything like that.

 

Need to update this.  I ran Firewall Admin on a different workstation and stopped getting the ruleset error...that seems to be a computer specific problem and not an issue in the CC or the firewalls at this point.  Firewall Admin on the other workstation also gives me the option to bump my cluster to 8.0 if I choose to, so there's definitely an issue with that particular workstation.  I don't care enough about that issue to really pursue it further.

 

On a positive note, I do have the certificate store and ssl inspection options, which is what I started this process for in the first place.  I have not decided if I'm going to go ahead and bump my cluster to 8.0 yet or not, but the goal getting access to SSL inspection and certificate store has been achieved, so I consider this issue solved and closed.



#9 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 27 November 2019 - 09:36 AM

At this point I would suggest opening a support case - upgrading the CC to 8.0.1 should enable the migration of a cluster to the 8.0 feature level.

 

It also seems like you do have at least one firewall running 7.0 which is going to cause issues with the 7.2 Firewall ruleset.

 

As a general rule, the cluster version CAN be lower than the firewall version (for example you can reliably manage Firewalls running 7.2 from a 7.0 cluster, although some 7.2 settings may be stuck on their defaults because they didn't exist in 7.0 and therefore cannot be changed), however the firewall version can NOT be lower than the cluster version (so you can't reliably manage 7.0 firewalls with a 7.2 cluster because the CC may push settings that the firewall does not know about).



#10 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 27 November 2019 - 09:37 AM

Need to update this.  I ran Firewall Admin on a different workstation and stopped getting the ruleset error...that seems to be a computer specific problem and not an issue in the CC or the firewalls at this point.  Firewall Admin on the other workstation also gives me the option to bump my cluster to 8.0 if I choose to, so there's definitely an issue with that particular workstation.  I don't care enough about that issue to really pursue it further.

 

On a positive note, I do have the certificate store and ssl inspection options, which is what I started this process for in the first place.  I have not decided if I'm going to go ahead and bump my cluster to 8.0 yet or not, but the goal getting access to SSL inspection and certificate store has been achieved, so I consider this issue solved and closed.

 

Did you also download the 8.0 release of Firewall Admin? I didn't specifically mention it above, but after upgrading the CC to 8.0 it should have popped up a warning and a link to the download the first time you logged in, I believe. It seems like maybe your other workstation has a newer Firewall Admin which knows about the 8.0 firmware release?