This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Garrett_DirSec
Advisor
‎2020-06-11 11:11 AM
Jump to solution

Cluster-specific workflow for R80.40 remote hotfix/JHA installation

Hello -

What's New in R80.40 HERE includes central hotfix/JHA deployment.    This is great news and very attractive new feature for customers with sizable numbers of gateways.    Nice this includes central JFA install on R80.30, R80.20 gateways as well.

The workflow section of admin guide glosses over the specific procedure used when upgrading a cluster.

Can we assume the remote cluster JHA install would happen based on best practice procedures as documented in release notes (ie. zero downtime -- install on gatewayA, failover, and then install on gatewayB)?

Please update the workflow diagram in admin guide for cluster upgrade.

Side topic:   will be be able to TEST/DEMO this on DEMOPOINT?

reference:

R80.40 admin guide reference for central hotfix install HERE (with requirements).  

Thanks in adv. -GA

1 Solution

Accepted Solutions
Boaz_Orshav
Employee
Employee
‎2020-06-11 11:21 AM
Jump to solution

Hi

  Yes, your assumption regarding cluster installation is correct.

  We will add it to documentation.

  Thanks for the tip and will be glad if you have more after using it.....

Boaz

View solution in original post

0 Kudos
11 Replies
Boaz_Orshav
Employee
Employee
‎2020-06-11 11:21 AM
Jump to solution

Hi

  Yes, your assumption regarding cluster installation is correct.

  We will add it to documentation.

  Thanks for the tip and will be glad if you have more after using it.....

Boaz

0 Kudos
Garrett_DirSec
Advisor
‎2020-06-11 11:31 AM
In response to Boaz_Orshav
Jump to solution

Hello @Boaz_Orshav  -- thanks for quick reply. 

I'm curious on topics of (a) error handling, and (b) pre-verification?

Will there be able to easily "check" group of target gateways if a JHA "should" install without issues (example:  identify an installed hotfix that may block install of JHA)?

How will failures be handled?   Will logs be collected for central view -- will central status provide more information than "failed"?

thanks -GA 

0 Kudos
Boaz_Orshav
Employee
Employee
‎2020-06-13 10:04 PM
In response to Garrett_DirSec
Jump to solution

Hi

  Regarding verification - the action "Verify" actually runs the Deployment Agent verify option on the gateway so every pre-verification that is done by CPUSE (like conflict with current HF, disk space etc.) will be identified and reported as is (the central deployment will show the message the CPUSE on the gateway is issuing).

  Logs - we are aware of the need to centrally collect logs in error cases. The Central Deployment GUI has lot's of required functionality and in order not to wait for all to be ready we deliver it in phases.

  R81 shall include much more than R80.40 and so on.

  The logs collection is on the short list for the next version (after 81)

Maarten_Sjouw
Champion
Champion
‎2020-06-13 11:50 PM
In response to Boaz_Orshav
Jump to solution

In a MUliti Domain environment with losts of domains with just 1 GW or 1 cluster, will the packages be loaded once on the global level and then redistributable per domain?
Regards, Maarten
0 Kudos
Boaz_Orshav
Employee
Employee
‎2020-06-13 11:58 PM
In response to Maarten_Sjouw
Jump to solution

On 80.40 the packages are downloaded to the GW from the Check Point Download Center.
On 81 the management can manage a repository and in this version the repository shall be one per MDS (from global context) and installation shall be per domain (package will be taken from the global repository and transferred to the GW)
Garrett_DirSec
Advisor
‎2020-06-15 06:23 AM
In response to Boaz_Orshav
Jump to solution

hello @Boaz_Orshav --  thanks for additional details.

Is this new mechanism leveraging BLINK subsystem?   Or did you have to code from scratch? 

thanks -GA

0 Kudos
Boaz_Orshav
Employee
Employee
‎2020-06-17 09:46 PM
In response to Garrett_DirSec
Jump to solution

The remote (central) installation is orchestrating the Deployment Agent (CPUSE) on the Gateways side, hence supports also Blink packages deployment.
Notice this ability shall be released as part of 81.00
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-06-23 02:38 AM
In response to Boaz_Orshav
Jump to solution

Dashboard tells me that TX appliances are unsupported - this is not mentioned in current documentation...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Dale_Lobb
Advisor
‎2020-06-16 11:35 AM
Jump to solution

What about taking a backup/snapshot before the installation?  Is or can that be part of the automatic deployment?

0 Kudos
Boaz_Orshav
Employee
Employee
‎2020-06-17 09:48 PM
In response to Dale_Lobb
Jump to solution

Taking automatic snapshot is already part of version upgrade flow.
Do you mean you would like to have it also for Jumbo/HF installation?
0 Kudos
Garrett_DirSec
Advisor
‎2020-06-18 08:00 AM
In response to Boaz_Orshav
Jump to solution

hello @Boaz_Orshav -- this would be nice option.  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events