- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Recommended patching process for private cloud ima...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Recommended patching process for private cloud images
Just started working with the KVM images for Check Point R81.20 gateway.
After chasing things down a bit and figuring out that R81.20 completely changed the cloud-init process I have a gateway up and running under KVM.
I used the latest KVM qcow2 image but being a good Check Point admin, I need the image to the latest HFA.
Is there a best practice/process for deploying images at the latest HFA? The base qcow image deploys at about 5 gig, but after running cpuse to install the latest HFA, the image checks in at over 13G of committed disk consumption.
This isn't very cloud friendly and quite cumbersome. Following this model up deploy, then patch, it slows deployments considerably.
Am I missing something? Is there a better way to have a vetted patched version for direct deployment?
Thanks for your input.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will ask one of my colleagues that did this, 13 GB does not sound logical to me at all.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I can remember, we will release updated images that include the recommended JHF.
We do not do this for every JHF, of course.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why wouldn't this be done for each HFA release? As the steward of the source code, we're reliant on Check Point to provide the latest images unless Check Point provides a tool to custom bake the HFA's into a deployable image. I'm not expecting Check Point to provide images for all patches, but I AM expecting to see images for each "Recommended" HFA.
And, from my lab, here are the **bleep** image sizes, the First being the image directly from Check Point, the second R81.20 Gateway only, not you managed by the multi-domain manager, all I did was update to the latest HFA (Take 41)
-rw-r----- 1 root kvm 4589092864 Jan 4 21:12 CheckPointR81-20-GW.qcow2
-rw-r----- 1 root kvm 15321792512 Jan 8 14:35 ncflabcpfw0002.qcow2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know we provide Blink images that include the most recent recommended release: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20_Downloads.htm?tocpath=_____3
We also update the images in the public cloud providers (AWS, etc).
However, I believe we only distribute a qcow for the base version.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the expectation then, that those of us doing Private Cloud infrastructure (VMWare or KVM) would have to figure out our own mechanism for keeping images current?
For private cloud deployments I just can see that as feasible.
As things are now, private cloud using KVM would require a base image deployment followed immediately by an HFA installation taking the time to deliver a new cluster from less than 1 minutes to 10-20 minutes, with the added bagging of the disk bloat from the upgrade process.
Am I missing something or is private cloud automation/deployment that much behind the public cloud provider process?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I noticed every image I deployed in the cloud ALWAYS contained whatever recommended jumbo was at the time of the installation...just my own experience.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@the_rock Are you deploying in Public Cloud or Private Cloud? Based on my reading of this thread, the public cloud (AWS, Azure, GCP) get the HFAs rolled in, but not the private cloud (qcow2) images.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mostly public, but only once in private and it had updated jumbo (maybe just luck, no clue lol)
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't asked, but that appears to be the case at present.
I see two places where you might have an issue with this process:
- Time to deploy. This, I believe, could be mitigated by creating your own image (take base image, apply JHF via CPUSE before you run First Time Wizard).
- Size of the resulting image. It's a bit bigger because it includes the CPUSE overhead, which wouldn't be there with a fresh install.
Will have to ask around and see if there's a better way to do this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you try to install a jumbo before completing the first-time wizard, CPUSE definitely complains at you. I'm not sure how safe an option that is.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Totally agree with that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has there been any feedback from the Check Point team on how this might be addressed? I've raised the issue with my account team and they are as perplexed as I regarding not having "current" private cloud images available.
I'd image the images are generated programmatically, just add one more output of KVM to make available via Check Point download site.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content