Re: Automated software package installation

Simon_Macpherso · ‎2021-05-16

Hi Checkmates,

We are aiming to automate gateway upgrades using the following modules that are part of the Checkpoint Ansible collection for Management.

cp_mgmt_show_software_package_details
cp_mgmt_verify_software_package
cp_mgmt_install_software_package

I have a few questions specifically concerning the cluster_installation_settings parameter and sub-parameters of the cp_mgmt_install_software_package module.

Parameter
cluster_installation_settings		installation settings for cluster.
	cluster_delay (integer)	the delay between end of installation on one cluster members and start of installation on the next cluster member.
	cluster_strategy (string)	the cluster installation strategy.

Questions

1. Are the cluster_strategy parameter values are based on sk107042?
2. Can you please outline the suggested values for both cluster_delay and cluster_strategy parameters when upgrading a Cluster XL HA cluster.
3. Is this effectively an automatic zero-touch upgrade procedure? i.e. do the cluster_installation_settings parameter values perform all steps performed during a manual, interactive upgrade

Regards,

Simon

PhoneBoy · ‎2021-05-17

Yes, though it’s not exactly clear what cluster_strategy should contain. @Or_Soffer
The value of cluster strategy would depend what you’re upgrading from/to.
You can, for instance, use MVC on upgrading R77.30 and above to R80.40 and above.

Pretty sure the underlying API requires R81+ management, also.

Simon_Macpherso · ‎2021-05-17

Initially we plan to perform major version upgrades from R80.30 (differing JHF versions) gateways to R80.40 and above, and JHF upgrades on the same gateways.

I notice on the module doco page, parameters only supported from R81 are denoted as such. Thus assuming other parameters are supported in previous versions i.e. R80.40.

I've also opened a TAC case for this.

Boaz_Orshav · ‎2021-05-18

Hi

I assume your management is 81.00 (since in 80.40 the install package shall be applicable for HF/Jumbo only and not for version upgrade)

Hope this answers all three questions you asked - if not, please let me know

Also will appreciate feedback on the experience you had using these APIs (boazo@checkpoint.com)

Thanks

Boaz

The best practice is simply not to use these parameters as the default values are the best - install the first member, perform connection sync or activate the MVC (depends on the target version - we know which methodology to use) and then failover and second member installation.

Simon_Macpherso · ‎2021-05-18

Hi,

Our management is R80.40 take 94.

Are you saying with R80.40 it is only possible to use the install package module to install JHF/HF only?

What are the default values for these parameters?

Regards,

Simon

PhoneBoy · ‎2021-05-18

You are correct, the APIs to actually do an upgrade are only in R81, not R80.40.
You can only install JHFs with the APIs in R80.40.

Boaz_Orshav · ‎2021-05-18

The default values are 0 for the delay and preserve-connectivity-when-possible for the cluster strategy.

Notice also that in 80.40 you should have management and GWs connected to internet since the installation also triggers download of the package.

In 81.00 there is also an option to use local package repository on the management machine

Simon_Macpherso · ‎2021-05-23

Thanks @Boaz_Orshav

Simon_Macpherso · ‎2021-06-07

When running the cp_mgmt_show_software_package_details module the task is failing.

Example playbook

---
- hosts: all
connection: httpapi
tasks:
- name: show available HFs
check_point.mgmt.cp_mgmt_show_software_package_details:
name: Check_Point_R80_30_JUMBO_HF_Bundle_T228_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz

Boaz_Orshav · ‎2021-06-07

Hi

Will appreciate if you can open service request so we can get logs and provide analysis.

Thanks

Simon_Macpherso · ‎2021-06-08

Hi Boaz,

I've opened TAC 6-0002736618

Regards,

Simon

Are you a member of CheckMates?

Automated software package installation