Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Collaborator

Automated software package installation

Hi Checkmates,

We are aiming to automate gateway upgrades using the following modules that are part of the Checkpoint Ansible collection for Management.

  • cp_mgmt_show_software_package_details
  • cp_mgmt_verify_software_package
  • cp_mgmt_install_software_package

I have a few questions specifically concerning the cluster_installation_settings parameter and sub-parameters of the  cp_mgmt_install_software_package module.

Parameter  
cluster_installation_settings installation settings for cluster.
 cluster_delay (integer)the delay between end of installation on one cluster members and start of installation on the next cluster member.
 cluster_strategy (string)the cluster installation strategy.


Questions

1. Are the cluster_strategy parameter values are based on sk107042?
2. Can you please outline the suggested values for both cluster_delay and cluster_strategy parameters when upgrading a Cluster XL HA cluster.
3. Is this effectively an automatic zero-touch upgrade procedure? i.e. do the cluster_installation_settings parameter values perform all steps performed during a manual, interactive upgrade

Regards,

Simon

0 Kudos
10 Replies
PhoneBoy
Admin
Admin

Yes, though it’s not exactly clear what cluster_strategy should contain. @Or_Soffer
The value of cluster strategy would depend what you’re upgrading from/to.
You can, for instance, use MVC on upgrading R77.30 and above to R80.40 and above.

Pretty sure the underlying API requires R81+ management, also.

0 Kudos
Simon_Macpherso
Collaborator

Initially we plan to perform major version upgrades from R80.30 (differing JHF versions) gateways to R80.40 and above, and JHF upgrades on the same gateways. 

I notice on the module doco page, parameters only supported from R81 are denoted as such. Thus assuming other parameters are supported in previous versions i.e. R80.40.

I've also opened a TAC case for this. 

0 Kudos
Boaz_Orshav
Employee
Employee

Hi

  I assume your management is 81.00 (since in 80.40 the install package shall be applicable for HF/Jumbo only and not for version upgrade)

  Hope this answers all three questions you asked - if not, please let me know

  Also will appreciate feedback on the experience you had using these APIs (boazo@checkpoint.com)

Thanks

Boaz

  The best practice is simply not to use these parameters as the default values are the best - install the first member, perform connection sync or activate the MVC (depends on the target version - we know which methodology to use) and then failover and second member installation.

  

0 Kudos
Simon_Macpherso
Collaborator

Hi,

Our management is R80.40 take 94. 

Are you saying with R80.40 it is only possible to use the install package module to install JHF/HF only? 

What are the default values for these parameters?

Regards,

Simon

 

0 Kudos
PhoneBoy
Admin
Admin

You are correct, the APIs to actually do an upgrade are only in R81, not R80.40.
You can only install JHFs with the APIs in R80.40. 

0 Kudos
Boaz_Orshav
Employee
Employee

The default values are 0 for the delay and  preserve-connectivity-when-possible for the cluster strategy.

Notice also that in 80.40 you should have management and GWs connected to internet since the installation also triggers download of the package.

In 81.00 there is also an option to use local package repository on the management machine

Simon_Macpherso
Collaborator

Thanks @Boaz_Orshav 

0 Kudos
Simon_Macpherso
Collaborator

When running the cp_mgmt_show_software_package_details module the task is failing. 

Example playbook

---
- hosts: all
connection: httpapi
tasks:
- name: show available HFs
check_point.mgmt.cp_mgmt_show_software_package_details:
name: Check_Point_R80_30_JUMBO_HF_Bundle_T228_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz

0 Kudos
Boaz_Orshav
Employee
Employee

Hi

Will appreciate if you can open service request so we can get logs and provide analysis.

Thanks

0 Kudos
Simon_Macpherso
Collaborator

Hi Boaz,

I've opened TAC 6-0002736618

Regards,

Simon

0 Kudos