Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AntiSpoofing
Explorer
Explorer
Jump to solution

R80.20 CDT Versus SmartUpdate (FIGHT!)

Hello all,

First post so please take it easy on me...

Why can't we upgrade managed firewalls (Service Packs and various updates) through a SmartUpdate-like utility?  Forgive me if this has been asked before.

 

>AntiSpoofing

0 Kudos
1 Solution

Accepted Solutions
Tomer_Noy
Employee
Employee

Yup, just a few clicks to install the latest Jumbo HF (without even having to search for it). Will automatically install cluster members one-by-one and take care of an orderly fail over.

Join our R80.40 EA!

We do have even more cool stuff coming 🙂

And here is a teaser:

R80.40 HF Installation.png

View solution in original post

24 Replies
PhoneBoy
Admin
Admin
For the last several years, we've distributed patches via CPUSE.
SmartUpdate was never updated to leverage this mechanism.
CDT can distribute CPUSE packages (among other things) to multiple gateways, but doesn't have a SmartUpdate GUI.
I suspect, though don't know the exact timelines, that we will integrate this function into SmartConsole in a later release.
0 Kudos
Dorit_Dor
Employee
Employee

We took a different route this time. We focused on robust core upgrades (with CPUSE and automation with CDT), all with APIs first and later UI.

We understand that a UI component is needed and phase 1 is coming in R80.40 (why phase 1? because it will not cover all the richness of CDT - it will enable simple update scenario). The UI will be based on UI extension and therefore part of Smart Console and not a separate application.    

In general the richness of CDT comes with strong automation (which wasnt part of SmartUpdate and is less UI relevant) but for CPUSE surely a UI is expected 

Dorit 

BTW you are welcome to join the early availability in a month or two

 

0 Kudos
Tomer_Noy
Employee
Employee

Yup, just a few clicks to install the latest Jumbo HF (without even having to search for it). Will automatically install cluster members one-by-one and take care of an orderly fail over.

Join our R80.40 EA!

We do have even more cool stuff coming 🙂

And here is a teaser:

R80.40 HF Installation.png

AntiSpoofing
Explorer
Explorer
Thank-You, yes, that was what I expected. I just thought that the CPUSE approach was a tad laborious since you are downloading multiple times the same package whereas the Management distribute and scheduled application was much-to-be-desired function.

Thanks!
0 Kudos
VincentBacher
Participant

This new feature is for hotfixes. Upgrading using SmartConsole would be the next step. We are waiting..... 😎

0 Kudos
AntiSpoofing
Explorer
Explorer
Thanks Dorit!

BTW - Former Employee (Roger, Diamond TAC, Team 1)
0 Kudos
Lewis_Ryan
Explorer

Hi,

I thought CDT in GUI form was going to be part of R80.30 is this now not the case?  We are not yet on this release but were planning to be due to CDT availability in the console.

I have just checked on the SmartConsole for R80.30 on Demopoint but couldn't find CDT in the console, unless I am missing it or does it require an extension of some sort?

0 Kudos
PhoneBoy
Admin
Admin
Hadn't heard this MIGHT be in R80.30.
In any case, it's planned for R80.40 and you are encouraged to join the EA.
0 Kudos
Lewis_Ryan
Explorer
That's what I was told at the Demo at CPX Vienna. Will consider EA
0 Kudos
AntiSpoofing
Explorer
Explorer
Thank-you sir!
I got word that it's coming.

It was just that it seemed like a step back from where "we" were...
0 Kudos
M_Ruszkowski
Collaborator

Right now...I am on the CDT side.   So please don't take my CDT away!!!!

The CDT has worked very well for us. We have upgraded more that 135 firewalls in three months. Keep in mind, we can only do these upgrades on weekends. It used to take us more than a year to upgrade everything. The upgrades have been from R77.20 and R77.30 to R80.20 with Jumbo Take. And we are using CDT to roll out HFA's as well. We have already started patching with Take 118, which was recently released. This has dramatically sped up our upgrades and patching cycles.   This will be the first time in over 10 Years that all of our firewalls will be on the same version and HFA!    

If you have not tried CDT, I would recommend just skipping the basic method and go right to the advanced method and define a deployment plan. Not very hard to do it, and you are going to end up doing this way anyway. So don't bother with basic method.

Luis_Miguel_Mig
Advisor

I have watched this video about CDT in Smartconsole in R81. Beautiful. Really nice.
I was wondering what are the plans? Will the smartconsole with get more and more features of the CDT CLI version?
And just something simple: in the GUI version both gateways in the cluster get upgraded one after the other. I was thinking that it would be nice to give the administrator the option to wait to run postchecks before the upgrade of the second gateway.

0 Kudos
PhoneBoy
Admin
Admin

CDT may have a few more options overall, but the plan is to bring in more functionality into SmartConsole.
Like the suggestion for post-upgrade checks before upgrading other cluster members.
@Tsahi_Etziony 

0 Kudos
Tsahi_Etziony
Employee
Employee

The SmartConsole capabilities are separated from CDT and it is not a GUI for CDT. It is developed by the same team to make sure we learn from the CDT development, but it has much higher focus on usability, and hopefully it can be used without any learning effort. 

As @PhoneBoy wrote, we will continue to bring new capabilities to SmartConsole, but I expect CDT to stay with us for a very long time because frankly, it is much more powerful. We will definitely continue to develop and support both options.

The cluster suggestion is a high priority for us, but unfortunately it will probably only be available towards the end of 2021. The reason - we want to make the UX perfect, and it requires some more research and usability trials. If you are interested to contribute this effort, share your thoughts and even try out early developments, we would love to contact you for an open discussion. 

0 Kudos
Luis_Miguel_Mig
Advisor

Yeah absolutely, thanks.  I am definitely interested in the usability focus of the GUI/Smartconsole version. 
I guess that you may be already working on these few things I am suggesting, but anyway  at the  moment I miss:

- more visibility of what is going on during the upgrade, be aware of the different phases, perhaps show the cpuse messages...

- include snapshots in the process

-  include breakpoints and post checks, so the admin can pause for a while (after one member of the cluster has been upgraded) and then decide if resume or rollback

0 Kudos
Tsahi_Etziony
Employee
Employee

Sure. I'll have my guys contact you for future usability sessions and feedback. 

Your suggestions are indeed known to us. I only have one comment on the snapshot - when you perform a major upgrade, either from SmartConsole, using CDT or directly using the GW's CPUSE interface, CPUSE is keeping an automatic snapshot on the GW as part of the process. 

0 Kudos
Luis_Miguel_Mig
Advisor

That is great that CPUSE already do it. So perhaps a bit of visibility on what is going behind the scenes would be enough.
And would CPUSE allow you to use it for a rollback? And would CPUSE also be able to take the snapshot and store it remotely?

0 Kudos
Tsahi_Etziony
Employee
Employee

Visibility - for sure!

Currently exporting a snapshot or reverting to a saved snapshot is only available from the machine itself. 

0 Kudos
M_Ruszkowski
Collaborator

I have been using CDT for about three years now.   I originally posted on this thread above back in 2019.  We recently upgraded our MDS servers to R80.40 last March and shortly after that I started upgrading all the GW's from R80.20 to R80.40.   I had to wait on some custom HFA's that R&D...so I would have started sooner.   

I have upgraded since this May,  140 firewalls / 70 clusters using CDT - i am almost done!

Our "CDT Deployment scripts", do more than just the upgrade, push HFA's...We are pushing down different "fwkern.conf" files depending on the cluster in our env.; pushing custom scripts, un-taring them,  and running them.  

I just recently used CDT to push out the new v1.6 GAIA API to the GW's.    I have also used CDT to rotate passwords on all the GW's.  

So what i am trying to say is that I am using CDT for other things than just doing an upgrade or installing an HFA.   I am not sure how this is going to be done in when you add CDT to the GUI.  I am just worried that turning CDT into a GUI may impact other features or how I am using it.   Our MDS env has 70+ domains,  I have all my files structured on the MDS and rsync'ed between the MDS servers.   For GW upgrades I have multiple sessions opened and just do a 'mdsenv" and run the deployment plans.

As for the other items that we use CDT for (not upgrades)  I have bash scripts that loop through the domains, dynamically does the "-generate for the csv file" and then does the "execute", once completes loops to the next domain.     

I am sure in the future, some of this can be moved over to Ansible...but that is another story because I am having issues with v1.5 of the API and I am using CDT to push out v1.6.

I am not sure how all of this will work in the GUI.  I really do not want be opening a SmartConsole to each domain and making sure the upgrades are configured the same, or maintaining configuration in all the domains.   If we only had a handful them maybe...but we have over 70 domains.   Is this going to in the Global view of the MDS?  

Please don't break CDT. 

 

 

 

0 Kudos
Boaz_Orshav
Employee
Employee

Thanks very much for the detailed feedback!

To sum it up - we are not planning to break CDT !

The Central Deployment using Smart Console is a simple and intuitive way to deploy packages on one or many gateways and clusters.

It should be enough for most cases when you need to install HF, Jumbo or upgrade to a new version.

For more complex scenarios where you would like to integrate a sequence of operations including pushing files, run scripts, installation and maybe more logic - CDT is the answer and will continue to be the answer at least for the near future.

M_Ruszkowski
Collaborator

That is good to hear.   

I just used CDT to deploy the v1.6 of the REST API to my gateways.    Works great.   Technically I could use Ansible for this, but since the CDT is there and we use it for upgrades, it is a simple bash script that loops through the domains and auto does the the generate and execute / deploys the API and moved on.

Thanks for keeping it.

0 Kudos
M_Ruszkowski
Collaborator

Now since we went to R81.10 on 5 MDS servers and 2 MLM's, I had a chance to use the new GUI version.     It doesn't work on multiple MDS servers and multiple domains.  We reassigned globals and the packages do not show up on the domains.

0 Kudos
Gregory_Azratz
Employee
Employee

Hi @M_Ruszkowski ,
We are aware of the gap in the UX regarding the MDS packages being in the global domain and not on the CMA level.
This gaps are on our roadmap.

Regarding the issue with not seeing the packages - 

please collect the output of the following command and send us the result

collect_logs.bash on your MDS machine to collect Central Deployment from Smart Console logs. 

send the collected logs to mahmods@checkpoint.com

 

Thanks,

Gregory

0 Kudos
M_Ruszkowski
Collaborator

I just want to say a big thank you to the CDT team.

We just used CDT and upgraded over 100+ firewalls from R80.40 to R81.10 and HFA....in 90 days with no downtime.  Technically could be done sooner...but still dealing with change windows and freezes.

 Thank you.  

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events