This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2021-05-16 09:04 PM

Automated software package installation

Hi Checkmates,

We are aiming to automate gateway upgrades using the following modules that are part of the Checkpoint Ansible collection for Management.

  • cp_mgmt_show_software_package_details
  • cp_mgmt_verify_software_package
  • cp_mgmt_install_software_package

I have a few questions specifically concerning the cluster_installation_settings parameter and sub-parameters of the  cp_mgmt_install_software_package module.

Parameter  
cluster_installation_settings installation settings for cluster.
 cluster_delay (integer)the delay between end of installation on one cluster members and start of installation on the next cluster member.
 cluster_strategy (string)the cluster installation strategy.


Questions

1. Are the cluster_strategy parameter values are based on sk107042?
2. Can you please outline the suggested values for both cluster_delay and cluster_strategy parameters when upgrading a Cluster XL HA cluster.
3. Is this effectively an automatic zero-touch upgrade procedure? i.e. do the cluster_installation_settings parameter values perform all steps performed during a manual, interactive upgrade

Regards,

Simon

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2021-05-17 08:23 AM

Yes, though it’s not exactly clear what cluster_strategy should contain. @Or_Soffer
The value of cluster strategy would depend what you’re upgrading from/to.
You can, for instance, use MVC on upgrading R77.30 and above to R80.40 and above.

Pretty sure the underlying API requires R81+ management, also.

0 Kudos
Simon_Macpherso
Advisor
‎2021-05-17 06:20 PM
In response to PhoneBoy

Initially we plan to perform major version upgrades from R80.30 (differing JHF versions) gateways to R80.40 and above, and JHF upgrades on the same gateways. 

I notice on the module doco page, parameters only supported from R81 are denoted as such. Thus assuming other parameters are supported in previous versions i.e. R80.40.

I've also opened a TAC case for this. 

0 Kudos
Boaz_Orshav
Employee
Employee
‎2021-05-18 12:01 AM
In response to Simon_Macpherso

Hi

  I assume your management is 81.00 (since in 80.40 the install package shall be applicable for HF/Jumbo only and not for version upgrade)

  Hope this answers all three questions you asked - if not, please let me know

  Also will appreciate feedback on the experience you had using these APIs (boazo@checkpoint.com)

Thanks

Boaz

  The best practice is simply not to use these parameters as the default values are the best - install the first member, perform connection sync or activate the MVC (depends on the target version - we know which methodology to use) and then failover and second member installation.

  

0 Kudos
Simon_Macpherso
Advisor
‎2021-05-18 04:22 PM
In response to Boaz_Orshav

Hi,

Our management is R80.40 take 94. 

Are you saying with R80.40 it is only possible to use the install package module to install JHF/HF only? 

What are the default values for these parameters?

Regards,

Simon

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-18 05:40 PM
In response to Simon_Macpherso

You are correct, the APIs to actually do an upgrade are only in R81, not R80.40.
You can only install JHFs with the APIs in R80.40. 

0 Kudos
Boaz_Orshav
Employee
Employee
‎2021-05-18 09:58 PM
In response to Simon_Macpherso

The default values are 0 for the delay and  preserve-connectivity-when-possible for the cluster strategy.

Notice also that in 80.40 you should have management and GWs connected to internet since the installation also triggers download of the package.

In 81.00 there is also an option to use local package repository on the management machine

Simon_Macpherso
Advisor
‎2021-06-07 09:56 PM
In response to Boaz_Orshav

When running the cp_mgmt_show_software_package_details module the task is failing. 

Example playbook

---
- hosts: all
connection: httpapi
tasks:
- name: show available HFs
check_point.mgmt.cp_mgmt_show_software_package_details:
name: Check_Point_R80_30_JUMBO_HF_Bundle_T228_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz

0 Kudos
Boaz_Orshav
Employee
Employee
‎2021-06-07 11:34 PM
In response to Simon_Macpherso

Hi

Will appreciate if you can open service request so we can get logs and provide analysis.

Thanks

0 Kudos
Simon_Macpherso
Advisor
‎2021-06-08 05:15 PM
In response to Boaz_Orshav

Hi Boaz,

I've opened TAC 6-0002736618

Regards,

Simon

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top