This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
aheilmaier
Participant
‎2024-03-16 03:42 AM

Gateway Upgrade: diff between manger GUI and CentralDeploymentTool

Reading about upgrading a VSX Gateway from R80.20 to R81.10. Manager running R81.10.

Best practice is to use central deployment via manger gui.

(by the way image verification leads to an error without any helpful error message, but I think I will open a support case)

Now I found the CentralDeploymentTool https://support.checkpoint.com/results/sk/sk111158

Is the CentralDeploymentTool used under the hood with the manager gui ?

So do I need to update the CentralDeploymentTool to get the latest, bug fixed release ?

10 Replies
the_rock
Legend
Legend
‎2024-03-16 05:03 AM

You probably should update it, yes. Its sort of like how everyone would keep Gaia web UI DA updated, when you do upgrade through web gui.

Best,

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-16 08:00 AM

I've had trouble upgrading VSX firewalls with CDT. Haven't had the time to figure out what goes wrong, but something does with almost every VSX upgrade I've done. At this point, I just upgrade them with the manual process, and only use CDT on VSX for jumbos.

My team applies jumbos maybe four times as often as upgrades, so it still saves us a lot of time. Plus all the upgrades and jumbos on non-VSX firewalls.

0 Kudos
aheilmaier
Participant
‎2024-03-16 10:41 AM
In response to Bob_Zimmerman

just compared the release notes R81.10 vs. R81.20. (supported upgrade path > upgrade methods)

I wonder, if R81.10 only supports Hotfix update and R81.20 does support all.

This would means I need to check every single word in the release notes. If the GUI shows the functionality it usually provides it.

R81.20R81.10

  • Central Deployment in SmartConsole

  • CPUSE Upgrade

  • CPUSE Clean Install

  • Central Deployment of Hotfixes in SmartConsole

  • CPUSE Upgrade

  • CPUSE Clean Install

0 Kudos
aheilmaier
Participant
‎2024-03-16 11:19 AM
In response to aheilmaier

just found an error, tcp port 18208 (cprid: checkpoint remote install daemon) from mgmt server to gateway is blocked.

will try to get it open, takes a day to get this done.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-17 06:41 AM
In response to aheilmaier

Management versions R81, R81.10, and R81.20 all support using SmartConsole to distribute and install major version upgrades on firewalls. Management R80.40 and earlier only supported distributing and installing jumbos.

Yes, CDT uses CPRID to send files (the upgrade package) to and run commands (like to import the package, run the upgrade, etc.) on the firewalls. You need 18208 for it to work. Once you have CPRID working, you can use it to do some other interesting things. yourself, like my script to find differences between cluster members' configurations.

"Clean install" via CPUSE doesn't switch your filesystem. Only a clean install via ISOmorphic will do that.

0 Kudos
Boaz_Orshav
Employee
Employee
‎2024-03-16 09:57 PM

Hi

  The Central Deployment using Smart Console is a mechanism highly integrated with all management infrastructure, hence it has management API commands, monitoring is by Task Details mechanism and much more.

  This is also the reason why it is version dependent and every version there are new features and enhancements.

  It is not using the CDT which is an executable tool, unversioned and not depending on the specific management version (same CDT can be installed on any supported management)

Bottom line - not need to update the CDT when using the Smart Console Deployment

aheilmaier
Participant
‎2024-03-17 05:31 AM
In response to Boaz_Orshav

thank's for clarifying, there is a small difference in the documentation wording "Central Deployment" (the GUI one) and "Central Deployment Tool" (CLI)

Aditional question: does Central Deployment do a clean install or only upgrade ?

afaik normal upgrade does migrate all the configuration (kernel module configs etc) and clean install does not, but clean install upgrades Kernel Version and Filesystem from ext3 to xfs.

0 Kudos
aheilmaier
Participant
‎2024-03-17 07:47 AM
In response to aheilmaier

just saw from a comment of @PhoneBoy and interpretation of the website with images I can download...

There are 2 installation options:

fresh install with ISO/USB  named "clean install" is the only way to add changes like file system e.g. ext3 to xfs.
But as we make a new system we also have a complete downtime. Its like a complete new install.

upgrade (in-place upgrade) no matter if it is clean install or upgrade, it does not change the file system but kernel should be changed also.
- clean install with CPUSE will not migrate the special configs e.g. kernel.conf
- upgrade with CPUSE will migrate all the configs

 

For Both there is a the Blink Image (Fast deployment) or a "normal" one, the blink has the latest hotfixes, the normal image almost has not hotfixes afaik.

 

Hope this is correct, whoever decided to use the term "clean install" for upgrade and also for real fresh install. Seeing repeating discussions in the community forum.

0 Kudos
the_rock
Legend
Legend
‎2024-03-17 07:52 AM
In response to aheilmaier

That sounds about right. Also, keep in mind that when using blick image, upgrade seems to be faster.

Best,

Andy

0 Kudos
aheilmaier
Participant
‎2024-03-24 07:57 AM
In response to the_rock

do you know about any problems for upgrading vsx with blink ?

Just saw the hint in R81.20 sk https://support.checkpoint.com/results/sk/sk17390

section downloads and install. (not available for R81.10)

Really again a another restriction? Only for R81.20 because not restriction found for R81.10 in a document.

* Gaia Fast Deployment (Blink) does not support the VSX upgrade.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events