Blue Coat ProxySG – Issues Upgrading SGOS From 5.5.x.x to 6.2.x.x

Following an upgrade on an SG600-10, from 5.5.3.31 to 6.2.9.1, I encountered the errors below, and was unable to pass traffic thru the proxy using the BlueCoat WebFilter categories for “Allow”/”Deny”.

As this specific ProxySG is a non-production device, there are very minimal users working with it, and the first I noticed of the issue, was an email from the ProxySG itself.

From: ProxySG@Company-X.com [mailto: ProxySG@Company-X.com] 
Sent: Thursday, June 14, 2012 1:51 PM
To: Ryan
Subject: ProxySG Appliance Event 500098

2012-06-14 19:51:00-00:00UTC  "Download of Blue Coat database failed"  0 500098:1 Mailed cfs_admin.cpp:676

This led me to jump onto the ProxySG web UI and check the download status of the BCWF database, which revealed some errors.

Download log:
  Blue Coat download at: 2012/06/14 20:20:45 +0000
  Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
  Requesting differential update
  File has not changed since last download attempt; no download required
  Rebuild of existing database required
  Update cache entries: 113
  Update cache version: 321660419
  Database size:        1084
  Building database
    ERROR: File is not a complete Database: type=2
  Database build failed

Previous download:
  Blue Coat download at: 2012/06/14 20:14:33 +0000
  Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
  Requesting differential update
  Download size:        1084
  Added 85 entries to update cache
  Update cache entries: 145
  Update cache version: 321660418
  Differential update applied successfully

So from there I went off to check the firewall logs and verified that nothing has changed with them, and that the connections are making it out of the Company-X network towards the BCWF servers.

Firewall Logs - Proxy To BCWF Servers

Another step was to attempt a policy push on the proxySG. And the below image is what I saw on VPM when attempting policy install:

ProxySG VPM Policy Install Error - WebFilter Categories

Troubleshooting actions thus far:
1. Rebooted proxy while running on SGOS 6.2.9.1
a. Still receiving ProxySG Appliance Event 500098 emails
b. Still see “database build failed” message for BCWF

2. Reverted back to SGOS 5.5.3.31
a. No no longer receive ProxySG Appliance Event 500098 emails
b. Still see “database build failed” message for BCWF

Q – “Is there a way to flush out the BCWF database and re-download as if it were being downloaded for the first time??”
A – “But, of course!!”

RESOLUTION

Purge the BlueCoat WebFilter database

In order to purge and force a full download of the Blue Coat Web Filter (BCWF) content filter database, you will need to have access to the command line interface (CLI), either through the serial port/console, or through an SSH or telnet connection. You will also need to know the ProxySG’s enable password. Please force the full update only as directed by Blue Coat Technical Support. Only perform the update during off hours so as to not affect your users.

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)content-filter
ProxySG#(config content-filter)provider bluecoat disable
  ok
ProxySG#(config content-filter)bluecoat
ProxySG#(config bluecoat)purge
  ok
ProxySG#(config bluecoat)download get-now
This may take a few minutes. Please wait...
loading database.. 
Download log:
  Blue Coat download at: 2012/06/14 20:23:38 +0000
  Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
  Requesting initial database
  Download size:        10241
  Database size:        10241
  Database date:        Thu, 14 Jun 2012 20:30:16 UTC
  Database expires:    Tue, 19 Jan 2038 03:14:07 UTC
  Database version:    1
  Database format:     1.1
  ok
ProxySG#(config bluecoat)exit
ProxySG#(config content-filter)provider bluecoat enable
loading database...
  ok
ProxySG#(config content-filter)exit
ProxySG#(config)exit
ProxySG#

You can now jump over to your IE browser window and check to see the download status of the BCWF database. At first the log will look small like below, and you may not be able to install policy.

Download log:
  Blue Coat download at: 2012/06/14 20:23:38 +0000
  Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
  Requesting initial database
  Download size:        10241
  Database size:        10241
  Database date:        Thu, 14 Jun 2012 20:30:16 UTC
  Database expires:     Tue, 19 Jan 2038 03:14:07 UTC
  Database version:     1
  Database format:      1.1

Please wait a bit…… yep, a bit more… yes, ust a bit more…… But soon you will see something like this:

Download log:
  Blue Coat download at: 2012/06/14 20:27:28 +0000
  Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
  Requesting differential update
  Download size:        314885400
  Database size:        314885400
  Database date:        Thu, 14 Jun 2012 18:11:30 UTC
  Database expires:     Tue, 19 Jan 2038 03:14:07 UTC
  Database version:     321660400
  Database format:      1.1

NOTE: The much larger database size number means that it now has the full database from BlueCoat WebFilter.

1. Install the ProxySG security policy
2. Test to a URL/site that is allowed by your security policy.
3. Test to a URL/site that is denied by your security policy.

If everything went as planned, y\ou should be now be allowed to #2 and denied to #3.

If you have mixed results:
* You may not have waited long enough for the database to download
* May not have re-enabled the usage of the BCWF database from the CLI
* Any number of other issues, and I would suggest starting at the beginning an retracing your steps, or start over.

If you found this helpful, please do not hesitate to share this with any of the “ShareThis” links at the end of the post.
If you found accuracy errors in this post, please inform me, so I may edit the post as needed.

Thanks!

[EDIT 7/4/2012] Adding McAfee SmartFilter XL purge procedures:

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)content-filter
ProxySG#(config content-filter)provider 3rd-party none
  ok
ProxySG#(config content-filter)smartfilter
ProxySG#(config smartfilter)purge
  ok
ProxySG#(config smartfilter)download full-get-now
This may take a few minutes. Please wait...
loading database..........
Download log:
  SmartFilter download at: 2009/05/29 10:25:01 -0600
  Downloading from: list.smartfilter.com
  Downloading full control file
    Full download complete
  Messages from SmartFilter:
    Warning: The list subscription for this serial number XXXX-XXXX-XXXX-XXXX will expire in less than 60 days.  Please contact customer service to renew your subscription.  Expiration date: 06/29/2009.
  Download size:      283333648
  Database version:   17110
  Database date:      Fri, 29 May 2009 14:27:41 UTC
  Database expires:   Fri, 03 Jul 2009 14:27:41 UTC
  ok
ProxySG#(config smartfilter)exit
ProxySG#(config content-filter)provider 3rd-party smartfilter
loading database..
  ok
ProxySG#(config content-filter)exit
ProxySG#(config)exit
ProxySG#