This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saitoh
Collaborator
‎2024-09-30 01:50 AM

Your personal experience on CDT

Hi all,

 

I am scrutinising how Central Deployment Tool works, and especially how stable it works.

If it does enough, I will consider introducing this utility into our deployment service so that each upgrade project would require less labour.

 

 

Here I am inquisitive as to your personal experience; have you ever seen CDT not working as expected?

Also, I heard CDT does take RMA backup and restore.

It would be lovely if someone shares your story where you use CDT for RMA procedure.

Any comments are highly appreciated!

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
6 Replies
the_rock
Legend
Legend
‎2024-09-30 04:16 AM

Here is my personal experience. I tried it few times, it never worked right with major upgrades in the lab. However, as far as jumbo hotfixes, no issues. I will say though, last time I tried R81.10 to R81.20 and worked fine, so my impression is that it has gotten better with later codes.

Best,

Andy

Amir_Senn
Employee
Employee
‎2024-09-30 08:24 AM

Always worked well for me. Best tool to upgrade multiple GW solutions.

Kind regards, Amir Senn
Bob_Zimmerman
Authority
Authority
‎2024-09-30 10:51 AM

I'm firewall team lead for a pretty big company. Five years ago, almost all of our firewalls were running code at least 18 months old. Today, 55% of my environment is on R81.20 jumbo 76 (recommended 2024-07-31) or 84 (recommended 2024-09-18). CDT isn't the only factor in this change, but it's a big one.

Upgrades with cross-version sync (previously called a "full connectivity upgrade", then "connectivity upgrade", now "multi-version cluster upgrade") have several opportunities to cause an outage by forgetting a step. CDT mechanizes the process so there's no chance to forget these steps.

We've had some problems upgrading VSX clusters, but the last several have been successful. Normal clusters upgrades took us a few tries to get down, but they've been perfect since about halfway through taking our environment from R80.40 to R81.10. Now we're mostly on R81.20 and the upgrades have been smooth. I just upgraded three clusters in a single action in August.

We use CDT for jumbos everywhere. Together with a lot of focus on eliminating differences between cluster members, it has been a while since anybody has noticed a problem when we install a jumbo. Two weeks ago, I installed R81.20 jumbo 84 across six clusters at the same time in one CDT action.

Better reliability leads to being able to do more clusters in one window, which leads to vastly less paperwork and fewer meetings required to stay up to date.

CaseyB
Advisor
‎2024-09-30 02:00 PM

I've used it exclusively for applying JHF only within the R81.10 train to our deployment of firewalls, it works well. I like the process and would recommend it.

saitoh
Collaborator
‎2024-09-30 10:00 PM

Dear 4 of masters; @the_rock , @Amir_Senn , @Bob_Zimmerman , and @CaseyB ,

 

Thank you very much for providing your personal comments/experience, which is really insightful.

It is intriguing that two of you pointed out when conducting major upgrade plan, it would have not gone right.

Also, I am happy to hear no one here have experienced any error in implementation of JHF with CDT.

 

In particular, @Bob_Zimmerman 's comment about eliminating diffs between cluster members let me understand how to make full use of CDT.

I almost forgot that you can have it run the script you create...

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
the_rock
Legend
Legend
‎2024-10-01 03:19 AM
In response to saitoh

I hear from people that works well in R81.20, even for major upgrades. So say your mgmt server is R81.20 and one of your gw's is R80.40, supposedly it goes well using CDT to bump it to R81.10 or R81.20. I never tested that in the lab, butmay try it.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top