topic Re: Blink, anyone ? in Firewall and Security Management

Blink, anyone ?

G_W_Albrecht — Thu, 08 Feb 2018 14:15:52 GMT

The sk120193 Blink - Gaia Fast Deployment gives details and tools for easy deployment of cleanly installed Check Point R77.30 or R80.10 Security Gateways. Has anyone used this method already and what were the experiences with it, also compared to deployment with isomorpic ?

Re: Blink, anyone ?

Anat_Eytan-Davi — Thu, 08 Feb 2018 14:55:57 GMT

With Blink you can deploy your gateway (including Jumbo HF) in ~5 minutes.

Images are available in the SK with or without the Jumbo HF.

Blinks also provides you the option to download the latest updates for Anti-Bot, Application control, URL Filtering and CPUSE Deployment Agent.

Re: Blink, anyone ?

G_W_Albrecht — Thu, 08 Feb 2018 15:19:45 GMT

Thank you for the comment - but i would be very interested in feeedback from people who have used this new method in deployment already.

Re: Blink, anyone ?

AlekseiShelepov — Thu, 08 Feb 2018 17:52:15 GMT

I'm waiting for someone to blink...

Actually, I would like to try it out soon during a replacement of gateways. Sound pretty good and easy. I just would like to read some more technical details about this whole process. Of course, the best way is just to try it myself, but I don't have spare appliances for now.

I wonder what happens with the installation files that I copy to the gateway during and after installation if I use --reimage --delete-old-partition keys. I thinking about the following scenario we received a new appliance with some image, maybe it was already initialized, I want to fully reinstall the image to R77.30+Take_292. So, I put all required files into /var/log/blink directory and start it with --reimage --delete-old-partition keys. As I understand it should fully reinstall the image, as if I started new installation from USB. It should delete old partitions and not leave any snapshot. So are the blink files transferred somewhere or just nothing happens to the whole /var/log directory? What happens to the initial and extracted files (/var/log/blink/launcher/files) after installation? There is information about new blink partitions (Remove blink new partition: lv_remove vg_splat lv_fcd_new), then what should happen with them after normal installation?

Re: Blink, anyone ?

DeletedUser — Fri, 09 Feb 2018 00:55:41 GMT

yeah, I'm not going to look at that youtube video, I would 😉

Assuming you create a new directory /var/log/MyDir, copy the files and run blink from there with the parameters --reimage --delete-old-partition, then it would extract the blink_image_<version>.tgz and blink_updates_<version>.tgz files to the /var/log/blink/launcher/files/ directory. When the BlinkInstaller engine runs it merges /var/log so you'll still have /var/log/MyDir and /var/log/blink/launcher/files at the end of the run.

When blink is run without any flags, the default is to NOT create a snapshot. The --keep-old-partition flag overrides the default behavior. When blink is run with only the --reimage flag, then it defaults to creates a snapshot which is shown as a partition (see highlight below). These are the snapshots after 3 blink runs.The final one with the the --reimage --delete-old-partition flag set didn't create a new snapshot and doesn't touch the previous snapshots.

# lvs
LV                  VG       Attr   LSize Origin Snap% Move Log Copy%
hwdiag              vg_splat -wi-a- 1.00G
lv_Blink_R80.10_198 vg_splat -wi-a- 32.00G [from ./blink --keep-old-partition]
lv_Blink_R80.10_373 vg_splat -wi-a- 32.00G [from ./blink --reimage]
lv_current          vg_splat -wi-ao 32.00G
lv_fcd_GAIA         vg_splat -wi-a- 6.00G
lv_log              vg_splat -wi-ao 60.00G

hth,

bob

Re: Blink, anyone ?

G_W_Albrecht — Fri, 09 Feb 2018 10:17:50 GMT

These details are very interesting - but i was interested more in user experience with blink and how it shines compared with isomorphic USB deployment .

Re: Blink, anyone ?

Noel_Taylor — Sat, 10 Feb 2018 13:28:17 GMT

I plan to Try it in the lab tomorrow with same questions you have

Will let you know

Re: Blink, anyone ?

Tsahi_Etziony — Sun, 11 Feb 2018 17:19:16 GMT

Until you have some feedback from other users, I can tell you that I have used both Blink and ISOMorphic many times, but I am biased since they are developed in my group 😉

I can shed some light about the differences between both:

ISOMorphic will format your HD and reinstall the ISO just like a new appliance. ISOMorphic works on all machine roles since it uses the same ISO for all installations.

Blink on the other hand creates a new partition with the new image already installed and customized as a GW. You cannot use Blink for any machine role other that a GW (for now), and the HD is not reformatted. Blink is much faster - it will take you ~5 minutes plus the reboot time, while ISOMorphic can take more than 30 minutes.

Hope this helps, and I am looking forward to hear some more feedback on this thread.

Tsahi

Re: Blink, anyone ?

Vincent_Bacher — Sun, 11 Feb 2018 17:29:34 GMT

I always read about 5 minutes for installation.

And how long takes the preparation?

Re: Blink, anyone ?

Tsahi_Etziony — Sun, 11 Feb 2018 17:37:37 GMT

It depends on how you plan to use the image. If you want to use a USB flash drive, the preparation will be just the time it takes to copy the image to the drive. If you want to copy the image to the machine, then the preparation will be the time it takes you to do that.

In ISOMorphic you need to use the ISOMorphic tool to format the flash drive, but with Blink you don't need to do that. The flash drive option is just for storage of the image file.

Re: Blink, anyone ?

G_W_Albrecht — Mon, 12 Feb 2018 09:19:45 GMT

Thank you, Tsahi - these are very interesting details indeed!

Re: Blink, anyone ?

G_W_Albrecht — Wed, 30 May 2018 09:45:40 GMT

Still no one is discussing his practical experience here - what a pity...

Re: Blink, anyone ?

Vincent_Bacher — Wed, 30 May 2018 09:59:48 GMT

Don't have practical experience yet

Re: Blink, anyone ?

Bryce_Myers — Thu, 07 Jun 2018 15:35:54 GMT

Quick comment about practical experience --

I have used this tool on 10+ gateways in my environment and I found it super helpful. This tool is a great way to image a box - especially if you don't have physical access to the gateway, and shipping/creating a usb stick at the site is a problem.

We have used this to "upgrade" R75.46 boxes as well as "upgrade" R77.20 boxes that had hotfixes that we couldn't remove cleanly.

I think once this tool becomes more integrated with the rest of the management suite - CDT & Zero-touch - Gaia deployments and hardware replacements won't really require much attention.

Re: Blink, anyone ?

Ivan_Moore — Thu, 07 Jun 2018 16:02:10 GMT

I have been playing around with Blink over the past few weeks getting ready to roll out our R77.30 -> R80.10 upgrade. We have custom scripts and configurations that I want to preserve and also automate as much as possible so that it's a one-click type of deployment. So, in my lab I extracted the the 80.10 image and dropped in the update file into the appropriate directory (per the SK). Then I started building out the user_updates directory. I dropped a .tgz file containing our custom scripts and created a pre script that would go gather various configuration bits including a clish save configuration.

I use the --reimage flag then and install_content.sh will import that config back in when done. I did a demo to one of our managers yesterday. 2.5 mins + 2 reboots + SIC + policy install and we have a gateway go from 77.30 to 80.10.

The bits I"m working on next are more complicated upgrades where the gateway has non-standard CoreXL settings for example. Also need to validate any other differences between 77 and 80 such as the cluster ID mechanism which changed again.

However, blink in and of itself is pretty awesome so far.

Re: Blink, anyone ?

Albert_Wilkes — Thu, 07 Jun 2018 17:09:44 GMT

Sorry Guenther, hope I am not hijacking this as I haven't used Blink yet but Tsahi referenced this thread for any opinion about blink.

I would have liked to have a mechanism to quickly fire up lab firewalls which we'd run on open servers in virtualized environments. Alas, OpenServers are not supported by blink yet.

The Blink configuration mechanism seems to be a discontinuation of the previously used config_system syntax and the fact they're using different syntax is creating the need for us "users" to read into and decide to use one or the other and thus increases adoption efforts.

In my dreams, I would have liked one unified configuration syntax that is compatible with clish, config_system and Blink and I can't see why this shouldn't have been possible. Now we've got three syntactic representations of first-time and ongoing configuration instructions that couldn't be more different even though they have got a huge overlap in terms of what they do.

PS: For anyone who like me wasn't quite clear about the different use cases/scenarios for both methods see these videos:

Overview of ISOmorphic and Blink and

Check Point Deployment Tools; DIY Check Point security appliance images using ISOmorphic - YouTube

Re: Blink, anyone ?

Jose_Rivera — Thu, 07 Jun 2018 18:57:31 GMT

We successfully started using Blink!

We did build some wrappers around it but with these wrappers, it has worked extremely well. The only issue, if you can even call it an issue, revolves around the original "factory image" remaining. Though we don't really see a need to "factory reset" a gateway any longer, since it can re-Blink'd at any time.

The wrappers we built:

1) Fresh re-image with R77.30 w/ basic pre-built clish commands (ie, password, snmp, ntp, etc..)

2) Fresh re-image with R80.10 w/ basic pre-built clish commands

3) Upgrade/re-image from R77.30 to R80.10 while re-applying clish statements dynamically.

We did need to build "two" sets of wrappers for each, as we needed to handle clusters vs single GW installs.

Our internal process already requires new or firewall replacements be built with option 1 or 2.

For Option 3, we successfully proved this with a few remote site upgrades and plan to perform all upgrades using this method with Cavaets.

If you ever tried to fresh re-image a 2200 (via usbboot), run first-time wizard, then Jumbo HotFix, you will be happy to hear we have averaged Blink completing all these steps within 8 mins on this model.

Cavaet: Our company best practice is to avoid any customization's of files in expert mode. Making it much easier for us to deploy or re-deploy firewalls using only the saved CLISH configurations. While we are using this method for upgrading from R77.30 to R80.10, keep in mind those expert mode customization's are not retained.

Re: Blink, anyone ?

G_W_Albrecht — Fri, 08 Jun 2018 06:34:03 GMT

If you like to quickly fire up lab firewalls which will run on open servers in virtualized environments, you better use VM templates 😉 Either build them yourself or get it e.g. here: R80.10 vSEC Virtual Edition (VE) Gateway in Network Mode - VMWare OVF template

Re: Blink, anyone ?

G_W_Albrecht — Fri, 08 Jun 2018 06:35:35 GMT

Thank you for sharing your experience !

Re: Blink, anyone ?

Juan_Carlos — Fri, 08 Jun 2018 08:48:17 GMT

Hello,

I have tested Blink in lab environment.

- it's working well and it's very fast (probably depending on hardware capabilities since Blink extracts into a new LV)

- I managed to upgrade a cluster in R80.10 from R77.30 in less than 15 minutes, including reboots (using Blink in addition to CDT). This way to proceed is not supported but shows that something is possible . I'm looking forward the day when our admins will be able to announce our customers a 30mins maintenance window to upgrade a cluster!

As a MSSP we are always looking for better ways to industrialize and shorten our operations. Beeing able to apply customized configurations (scripts, specific parameters, ...) at any step of our installation/upgrade/recovery processes is very important for us.

We have hundreds of gateways : less manual operations, the better. Blink may be a very good tool for such purposes in the future.

There are some limitations especially management servers deployments that are not supported yet but I heard that R&D is working on a Blink image for management servers.

In my opinion Blink, CDT and CPUSE can't be separated and I don't see any reason for Blink, CDT and CPUSE not to be merged in the future and I have not doubt that R&D is working on it!