topic Re: Recommended patching process for private cloud images in Cloud Firewall

Recommended patching process for private cloud images

AlJo — Sat, 06 Jan 2024 18:24:51 GMT

Just started working with the KVM images for Check Point R81.20 gateway.

After chasing things down a bit and figuring out that R81.20 completely changed the cloud-init process I have a gateway up and running under KVM.

I used the latest KVM qcow2 image but being a good Check Point admin, I need the image to the latest HFA.

Is there a best practice/process for deploying images at the latest HFA? The base qcow image deploys at about 5 gig, but after running cpuse to install the latest HFA, the image checks in at over 13G of committed disk consumption.

This isn't very cloud friendly and quite cumbersome. Following this model up deploy, then patch, it slows deployments considerably.

Am I missing something? Is there a better way to have a vetted patched version for direct deployment?

Thanks for your input.

Re: Recommended patching process for private cloud images

the_rock — Mon, 08 Jan 2024 03:25:18 GMT

I will ask one of my colleagues that did this, 13 GB does not sound logical to me at all.

Best,

Andy

Re: Recommended patching process for private cloud images

PhoneBoy — Mon, 08 Jan 2024 13:54:34 GMT

As far as I can remember, we will release updated images that include the recommended JHF.
We do not do this for every JHF, of course.

Re: Recommended patching process for private cloud images

AlJo — Mon, 08 Jan 2024 14:38:03 GMT

Why wouldn't this be done for each HFA release? As the steward of the source code, we're reliant on Check Point to provide the latest images unless Check Point provides a tool to custom bake the HFA's into a deployable image. I'm not expecting Check Point to provide images for all patches, but I AM expecting to see images for each "Recommended" HFA.

And, from my lab, here are the **bleep** image sizes, the First being the image directly from Check Point, the second R81.20 Gateway only, not you managed by the multi-domain manager, all I did was update to the latest HFA (Take 41)

-rw-r----- 1 root kvm 4589092864 Jan 4 21:12 CheckPointR81-20-GW.qcow2
-rw-r----- 1 root kvm 15321792512 Jan 8 14:35 ncflabcpfw0002.qcow2

Re: Recommended patching process for private cloud images

PhoneBoy — Mon, 08 Jan 2024 15:44:00 GMT

I know we provide Blink images that include the most recent recommended release: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20_Downloads.htm?tocpath=_____3
We also update the images in the public cloud providers (AWS, etc).
However, I believe we only distribute a qcow for the base version.

Re: Recommended patching process for private cloud images

AlJo — Mon, 08 Jan 2024 18:38:38 GMT

Is the expectation then, that those of us doing Private Cloud infrastructure (VMWare or KVM) would have to figure out our own mechanism for keeping images current?

For private cloud deployments I just can see that as feasible.

As things are now, private cloud using KVM would require a base image deployment followed immediately by an HFA installation taking the time to deliver a new cluster from less than 1 minutes to 10-20 minutes, with the added bagging of the disk bloat from the upgrade process.

Am I missing something or is private cloud automation/deployment that much behind the public cloud provider process?

Re: Recommended patching process for private cloud images

the_rock — Mon, 08 Jan 2024 18:42:57 GMT

Personally, I noticed every image I deployed in the cloud ALWAYS contained whatever recommended jumbo was at the time of the installation...just my own experience.

Best,

Andy

Re: Recommended patching process for private cloud images

AlJo — Mon, 08 Jan 2024 18:49:21 GMT

@the_rock Are you deploying in Public Cloud or Private Cloud? Based on my reading of this thread, the public cloud (AWS, Azure, GCP) get the HFAs rolled in, but not the private cloud (qcow2) images.

Re: Recommended patching process for private cloud images

the_rock — Mon, 08 Jan 2024 18:53:26 GMT

Mostly public, but only once in private and it had updated jumbo (maybe just luck, no clue lol)

Best,

Andy

Re: Recommended patching process for private cloud images

PhoneBoy — Mon, 08 Jan 2024 18:55:32 GMT

I haven't asked, but that appears to be the case at present.
I see two places where you might have an issue with this process:

Time to deploy. This, I believe, could be mitigated by creating your own image (take base image, apply JHF via CPUSE before you run First Time Wizard).
Size of the resulting image. It's a bit bigger because it includes the CPUSE overhead, which wouldn't be there with a fresh install.

Will have to ask around and see if there's a better way to do this.

Re: Recommended patching process for private cloud images

Bob_Zimmerman — Mon, 08 Jan 2024 21:29:47 GMT

If you try to install a jumbo before completing the first-time wizard, CPUSE definitely complains at you. I'm not sure how safe an option that is.

Re: Recommended patching process for private cloud images

the_rock — Tue, 09 Jan 2024 00:03:51 GMT

Totally agree with that.

Re: Recommended patching process for private cloud images

AlJo — Wed, 21 Feb 2024 16:07:36 GMT

Has there been any feedback from the Check Point team on how this might be addressed? I've raised the issue with my account team and they are as perplexed as I regarding not having "current" private cloud images available.

I'd image the images are generated programmatically, just add one more output of KVM to make available via Check Point download site.

Re: Recommended patching process for private cloud images

the_rock — Wed, 21 Feb 2024 16:36:00 GMT

Hope there are some discussions about this at CPX.

Definitely valid point you made @AlJo

Best,

Andy