Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mk1
Contributor

CDT can't download packages from the cloud

Hello all,

I use the following CDT config for advanced mode:

 

# DepPlan.xml
<?xml version="1.0" encoding="UTF-8"?>

<CDT_Deployment_Plan>

<plan_settings>
<name value="Example deployment plan - install a Blink package" />
<description value="Install Blink image on the remote machines" />
<update_cpuse value="true" />
<connectivityupgrade value="true" />
</plan_settings>

<download_from_cloud path="/var/log/upload/blink_image_1.1_Check_Point_R80.40_T294_JHF_T91_SecurityGateway.tgz" iscritical="false" />
<import_package path="/var/log/upload/blink_image_1.1_Check_Point_R80.40_T294_JHF_T91_SecurityGateway.tgz" />

<!--
<install_package path="/var/log/upload/blink_image_1.1_Check_Point_R80.40_T294_JHF_T91_SecurityGateway.tgz" />
-->

</CDT_Deployment_Plan>

 

Initially I run:

./CentralDeploymentTool -generate -candidates=gateways.csv -deploymentplan=DepPlan.xml -server=1.2.3.4
./CentralDeploymentTool -execute -candidates=gateways.csv -deploymentplan=DepPlan.xml -server=1.2.3.4

If everything is fine I remove the comment from the line below:
<install_package path="/var/log/upload/blink_image_1.1_Check_Point_R80.40_T294_JHF_T91_SecurityGateway.tgz" />

and then proceed with the actual upgrade. The problem is packages can't be downloaded from the CP cloud, and you can imagine with many gateways the line will be heavily utilized, when 3.6G blink image start uploading to all of them.

Here's the message I receive on every gateway part of the gateways.csv file:

Tue Feb 9 05:18:18 2021 *E* [fw]:
************************************************
An error has occurred in stage Download From Cloud of machine fw:

Error code 25 - Failed to execute download from the cloud command on a remote machine.

Details:
--------
Failed to add the private package.

Additional Information:
-----------------------

************************************************
Timeout while waiting add private package will finish. Make sure the package file name is correct.
Error code 41 - Error executing a CPUSE operation on a remote machine.
************************************************

************************************************

Tue Feb 9 05:18:18 2021 *E* [fw]: Executing action #1 Download Package From the Cloud on fw failed. However, this action is not critical, skipping...

 

Do you have any idea why the packages can't be downloaded from the cloud? Am I doing something wrong? I use the latest 1.9 version of CDT. At the same time there's no any kind of issue if I try to download the same package from the Web GUI of the firewalls.

Thank you!

0 Kudos
8 Replies
Boaz_Orshav
Employee
Employee

Hi

Can you please check if it works from the GW itself?

On the "Status and actions" page press on "Add Hotfix from cloud" and enter the blink file name you are using in the Deployment Plan.

If it doesn't work - run "da_cli collect_logs" and send me the resulted tgz (probably connectivity issue)

If it works from the GW side - will appreciate if you send me the CDT logs

boazo@checkpont.com

0 Kudos
mk1
Contributor

Thank you for your reply Boaz! I sent you the logs.

One more question - after in 80.40 Connectivity Upgrade was replaced with MVC (Multi-Version Cluster Upgrade), is the

<connectivityupgrade value="true" />

option still relevant? Is CDT going to push policies on both cluster members with newer and older versions as it's described in the documentation?

Thank you!

0 Kudos
Boaz_Orshav
Employee
Employee

1. connectivity upgrade is still recommended since in case it's 80.40 and up, the same flag will verify MVC is turned on or activate it if it isn't. We just didn't want to create a different flag for 80.40 and up.

2. CDT does not push the policies. It prepares the policy for the new version on the management meaning that an upgraded GW will fetch it while a GW that was not upgraded will not fetch it (fetching the policy is part of the upgrade procedure on the GW side)

funkylicious
Advisor

hi,

as far as i recall, download from cloud is for downloading the respective package on the SMS/MDS server, then you would need to import it from the management to the gateways with import and install actions.

can you see from the management that the package is available for download ? or maybe the server doesnt have internet access to check ?

0 Kudos
mk1
Contributor

Hello funkylicious,

According CDT admin guide we have the following statement:

download_from_cloud - Downloads a package from the Check Point Cloud with CPUSE.

Attributes:
* path - Path to the package file on the Management Server (you must provide the package on the Management Server, even if the Security Gateways download it directly from the Check Point Cloud).

 

I can always download it once and upload it to the Management server, so I think the purpose of that feature is to download it from the cloud on every gateway separately, instead of copy it from the Management server. All the gateways have Internet access and when I check via Web GUI they can find the blink image I'm trying to download via CDT.

0 Kudos
Boaz_Orshav
Employee
Employee

I didn't get the logs and now I see that I had one "i" missing in the email address.

Sorry about that.

boazo@checkpoint.com

 

0 Kudos
mk1
Contributor

That explains why you didn't receive my mails. I didn't notice either there's missing i. I don't know why but I'm not allowed to reply on your previous message, so I will try to reply here.

1. Understood.
2. My question was more do a CDT prepare the management station to install the policy twice - on the upgraded member, and on the other one which is not upgraded yet.
https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Installation_and_Upgrade_Gui...
According to the link above:
While the cluster contains Cluster Members that run different software versions (Multi-Version Cluster), you must install the policy two times.
So I believe all the needed steps (please find attached screenshot) are covered by CDT? One more thing - last time when I made an upgrade the Threat Prevention policy wasn't installed. Is that a normal behaviour?

 

Thank you!

0 Kudos
Boaz_Orshav
Employee
Employee

Regarding the Threat Prevention policy - indeed the admin guide mentions only that the CDT prepares the access policy and the known limitations in SK111158 states:

"When the CDT deploys a package to a Security Gateway, it installs only the Access Control policy. If the Security Gateway also has a Threat Prevention policy, you must install it from the SmartConsole."

Regarding the MVC - the CDT prepares the policy to the new version so that the upgraded member can fetch it. The non-upgraded member does not need to fetch the policy again.

From now on - if you need to install the policy (assuming you changed it) you will need to do it twice (once for each version).

So the answer is - yes, CDT makes it for you when you install one member and yes, you will need to install the policy twice as long as you have MVC