Solutions

How do I create a profile using the Director Management Console (DMC)?

Solutions ID:    KB4322
Version:    11.0
Status:    Published
Published date:    03/11/2011
Updated:    03/28/2012
 

Problem Description

I want to use one SG as the source of all my profiles for my SG appliances. How do I do this?

What is the difference between a Overlay file, a Profile, and a Backup of a SG appliance?

When should I use a unique profile for an SG appliance?

How do I turn one of my SG appliances into the Golden configuration ( a profile) that all my SGs can use?

How do I create an extra ad on file to send to my SG appliances, such as a refreshable? 

What is a refreshable?

How to I create a backup of my SG appliances files?

How do I troubleshoot a profile?

Resolution

NOTE: This article assumes you have registered your ProxySG appliances with the Director.

What is the difference between an overlay, a backup, and a profile?

The main difference between these three features of the Java based, Director Management Console (DMC)  is their intent.   

A profile is a set of configuration commands that is pulled from a optimally configured ProxySG appliance, saved in Director and then applied to on or more target devices. It allows you to replicate the configuration of a ProxySG appliance to one or more ProxySG appliances and is offers one way to standardize on the passwords for all ProxySG appliances throughout your network.

An overlay is a subset of the device configuration and is applied separately or on top of a profile to define additional configuration.It is designed to modify settings defined in a profile or to add device- or group-specific settings that are not included in the profile. When you execute an overlay, the updates or changes are merged into the existing configuration for the device or group of devices.

A back up saves the configuration of the ProxySG appliance and allows you to restore the appliance to a stable configuration, in the event that you face a problem with the managed device. This ProxySG appliance back up , also called a device back up, is stored on Director. By default, Director stores 10 backups for each ProxySG appliance. While a backup has the same contents as a profile, you must create a profile to configure other ProxySG appliances.

Should I use a separate Profile for each model?

There should be no reason to build different profiles for each model type, unless they’re meant to do different things.  However,we suggest you use different profiles in these cases:

  • Different SGOS versions – each version might introduce a new command or change one, and the profile has to have a set of commands supported by the SGOS target version
  • Different functionality at the SG – for instance, there might be different configurations for branch servers vs. core servers or forward proxy vs. reverse proxy deployments.  This can be achieved either through different profiles, one for each configuration needed.
  • The config in a profile could for example reference an interface name which is not available on all platforms/models. However, if your customer is always using IF 0:0 for example, there should be no issue.

To create a profile, follow these steps.

1:  Login to the Director Management Console ( DMC): 

  • After you login, navigate to the configure tab.
  • Ensure you have chosen "profiles" in the drop down list.
  • Right click on the configuration library area, (on the right of your screen) and press new profile.
  • Give this new profile a name of say 'My new profile'
  • Click on the radio button for device, rather than URL.
  • Browse and choose the SG you want to pull a profile/overlay file from.
  • Press ok
  • A new profile will now be added to the DMC configuration library, on the right hand side. 

 2: To send this profile back to this, and other SG appliances, follow these steps.

  1. Click on the configure tab,
  2. Naviagate to the profile you configued above, in step 1.
  3. Right click on it, and choose edit.
  4. Remove the SSH key section that we highlight in KB3204
  5. Between the sections starting with "nline keyring show configuration-passwords-key "end-479427578-inline""     and " end-479427578-inline
  6. TIP: Ensure you select and delete the the above mentioned text as well.   The exact section you should delete is also detailed here- KB3204
  7. Press ok.
  8. Result: you have now edited out the keyring part of the configuration.
  9. Navigate to the device you want to send this profile to.
  10. Right click on the profile again, but this time select "execute". 
  11. If the 'execute option is greyed out you have not properly selected your SG appliance object.
  12. Once you press 'execute' you will be warned of keyring errors.
  13. Execute profile "My new profile" on model "200-C"
  14. You will see the below warnings.
     

Warning: This profile may exclude SSL keyrings and passwords from the source Device.  If such security credentials are required, modify the Director connection settings for the source Device to use SSH-RSA and recreate the Profile.

This will overwrite the existing configuration and reload the SG.
Do you want to proceed?

  • Press ok on the above warmings,  and the profile will be sent to the SG.
  • This will take a few minutes, and  SG will be reboot,
  • Once it completes, you should see this message..

Profile execution complete for device "SG402"

 

To create a backup of a ProxySG appliance, follow these steps.

  • Login to the Director Management Console ( DMC) .
  • Navigate to the Configure tab.
  • Select the device you want to backup.
  • Click on the link that is named "Launch Backup manager''
  • Choose 'create' to create a new backup for this device.

 

To create a overlay file, follow these steps: 

  • After you login, navigate to the configure tab.
  • Ensure you have chosen "overlays" in the drop down list.
  • Right click on the configuration library area, (on the right of your screen) and press new overlay.
  • Give this new overlay  name of say 'My new profile'
  • Click on the radio button for device, rather than URL.
  • Browse and choose the SG you want to pull a profile/overlay file from.
  • Choose the method in which you want to add to this file. 
  • Your options are:
    • using the SG UI.
    • CLI.
    • Content policy and using a  refreshable configurations  such a Proxy SG Pac files and routing
  • TIP:  A refreshable is content that will be refreshed from this source SG, whenever this overlay is sent out to your chosen target  SGs.  You mainting the Golden, or source SG with configuration you consider Golden, and this configuration is updated every time you send this overlay file out.
  • Press ok
  • A new overlay file is  now be added to the DMC configuration library, on the right hand side

Troubleshooting tips.

1: All overlay, profiles, and Backup files are formed in the SGS own Command line syntax, and can be sent to them directly, through a SSH terminal session, using Putty, or something similiar.   For example, in the 'sending a profile section above (section  2) , you can cut and past the contents you extracted in step 6, and send it to the SG directly through a SG Putty session, therebv bypassing the Director appliance. 

2: Here are three examples of very generic overlay files. One creates BCWF fitler configuration and  another creates a FTP ocation for the SG to send an access log two.  Either of these overlay files could be cut and pasted into a putty sesion of any SG, thereby bypassing the Director.  We suggest using this type of troubleshooting methodoly for Director profiles, overlay files, and backups.

EXAMPLES:

1: Bluecoat webfilter example:

content-filter
bluecoat
download username "BCWF-MAR1511"
exit
exit

Steps to create the above BCWF setup overlay file.

  • Choose and Launch the "Device management console"  option.
  • Click on content filtering, and choose "Bluecoat"  and then enter the user name of "BCWF-MAR1511"
  • Then select "save to overlay" 
  • Here, it creates a section named "bluecoat"
  • TIP: No overlay can save passwords.

2: Access logging example:

access-log
enable
exit

access-log
edit log main
client-type ftp
ftp-client primary host "dummy.ftp.com" 21
ftp-client primary path "/"
ftp-client primary username "Goofy"
exit
exit

Steps in creating the above two sections of access log configuration.

  • Choose and Launch the "Device management console"  option.
  • Click on the 'access logging' section.
  • Click on "general' and enable acces logging.
  • Click on logs, and choose upload client.
  • Select the client type as press the 'settings' button.
  • Type in dummy.ftp.com as the FTP host, and Goofy as the username.
  • Select "save to overlay' .
  • Here it creates a two sections in the overall overlay file called "General access logs" and "Access logs.
  •  TIP: No overlay can save passwords.

3:  For information on how to create a SG proxy PAC file, see KB1395 

You can use this article in conjuction with the instructions above to standardize on your pac file settings accross your SG network.

 

Links to other relevant Articles:

For a list of what other CLI commands are sent to the SG while using a Profile, see FAQ1177

For a list of Command Line Interface syntax, see KB4178

For details on how to create a debug dump, an archive, and a overlay file, see KB1441

For details on how to create a overlay file that only contains KEY pair information, without config see KB3204

For details on an a device buffer overlfow error when editing a overlay, see KI380

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question