This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gregory_Azratz
Employee
Employee
‎2021-08-23 03:41 AM

A simple way to keep your Security Gateway up-to-date – we want to hear what you think!

Hi Checkmates community,

My name is Gregory, my group and I are responsible for different tools for machine provisioning and monitoring like – CPUSE, CDT, Zero Touch, Blink, CPveiew and more…

In this post I would like to talk to you about a “new-ish” capability that we introduced in recent version that allows you to keep you Gaia Security Gateways up to date from the comfort of your smart console.

Starting R81, we have added the option to install Hotfixes and Major version to a multiple gateways and clusters (while performing all needed operation to ensure zero down time)

You can check a short video that describes this capability

[video]

I’m reaching out in order for me and my group to get feedback about this capability –

  1. Used it and loved it, Awesome :), tell us what you liked about it?
  2. Used it but stopped, Bummer :(, tell us why?
  3. Want to use it for your next upgrade but have some question, we are here for you.

Bottom line – your feedback will be a major factor in deciding the roadmap for this capability and future enhancements so leave a comment with your inputs.

Thanks,
Gregory

Labels
38 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-08-23 08:14 AM

Nice to get a central repository into Dashboard ! Install Hotfix and Update make this a good solution.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JozkoMrkvicka
Authority
Authority
‎2021-08-23 12:50 PM

1. Install the latest cpinfo utility

2. Install the latest CPUSE agent

3. Install the latest LOM firmware

All of them online (from Check Point Cloud), or offline (uploding files to management).

All of above mentioned options available within SmartConsole. Possibility to have separate package repository (hotfix, major upgrade, cpinfo, LOM, ...) and history which exact package was installed at which gateway and when.

Kind regards,
Jozko Mrkvicka
Gregory_Azratz
Employee
Employee
‎2021-08-30 02:35 AM
In response to JozkoMrkvicka

thanks for the feedback, we will look into your suggestion

Albin
Contributor
Contributor
‎2021-08-23 11:10 PM

We want to use it but there are two reasons we havn't.

We still need to modify Remote access files (Disable automatic mep & some other custom modifications) and it would be nice if there was some kind of scheduling feature, so that we could prepare all upgrades in advance and only verification would be required. We usually upgrade several clusters at the same time, so concurrent upgrades does sound great.

Due to the issues I just mentioned we have not tried it too much, so I don't know if there's a Upgrade + Hotfix queue which you can do, but that's something that would be good as you usually install a Jumbo hotfix directly after the upgrade. While not as common nowadays for us, it should allow to queue private fixes as well.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-08-24 01:08 AM
In response to Albin

Can you explain how needed edits in trac_client_1.ttm are an issue with this new capability ? Anyway you perform the upgrade, manual editing trac_client_1.ttm is always part of the procedure...

Did you see the video ? It shows Upgrade and HF install !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Albin
Contributor
Contributor
‎2021-08-24 01:33 AM
In response to G_W_Albrecht

Well, personally I don't think it help me too much if it is not to help me do upgrades without logging into to the box and do procedures anyways, so I have not seen too much of a need for this procedure. 

I did see the video. It did not show what I asked for, queueing for Upgrade and then hotfix install automatically. The video showed hotfix install on other GW's at the same time that another cluster was being upgraded. To be clear what I would like to do is to hit upgrade to R81 and then install Jumbo hotfix X, without having to wait for the upgrade to complete in order to queue it. That might exist, but it is not what was shown.

If there is a repo for the software and a feature to push it out, it would be nice if it could be used to also automate the upgrades more, which is what I tried to feedback on.

Gregory_Azratz
Employee
Employee
‎2021-08-30 02:39 AM
In response to Albin

Hi,

first of all thanks for the feedback.

regarding the file modification - currently we don't have the option to add a script/command for pre/post upgrade action, but we do going to be looking into it.

regarding the need to install a major version reboot and install an HF - we already have a solution for that, instead of using the regular "standard" package you can use a new type of package that is called blink - its already integrated into CPUSE - its basically a hybrid package that consist of base version and HF (for example R81 + jumbo take 18)
You can install this new type of package via this option as well thus saving you the need for 2 installation and multiple reboots

 

Albin
Contributor
Contributor
‎2021-08-30 03:40 AM
In response to Gregory_Azratz

Hi Gregory,

Thanks for your response.

I am aware of blink images, I tested it but there are some limitation that it seems you can't uninstall Jumbo hotfix if you install with blink, meaning you can't downgrade Jumbos if you run into issues. Hence, we do prefer normal installation as it gives flexibility if you run into issues such as a bug. Maybe it is possible, but I did not find any way or documentation that stated otherwise. So I would still love to see the queueing mechanism. But I understand if blink is the new go-to that you won't do it...

My colleague mentioned issues with restoring backups with Blink images (From device without blink), however that can probably be fixed  by using force flag. 

0 Kudos
Gregory_Azratz
Employee
Employee
‎2021-08-31 12:24 AM
In response to Albin

Hi Albin,

The HF inside a blink image is a standard CPUSE installation, and can be removed or to allow you to install a newer version of the jumbo, so uninstalling the HF should be possible unless its a mandatory HF that is part of the GA

adding @Dov_Fraivert, so we can get more information on both problems and see if we can provide some solutions

0 Kudos
nasa
Participant
‎2022-02-02 01:21 AM
In response to Gregory_Azratz

uninstall HF inside blink ? Is this a new feature in R81 ?
With R80 I found no way to uninstall JHF from these blink images. So no way to use blink for us.

0 Kudos
Gregory_Azratz
Employee
Employee
‎2022-02-03 03:48 AM
In response to nasa

Hi @nasa 

from our POV - the blink image is a bundle which contains both the major version and possible Jumbo.
so you cannot uninstall the jumbo that comes pre-installed in the blink image.
however future jumbos that will be installed on top of that via CPUSE can be uninstalled if needed.

can you describe the use case where you want to use blink and uninstall the Jumbo, you can use blink image containing only the major version



0 Kudos
S_E_
Advisor
‎2021-08-24 04:01 AM

Jm2c

  • Used it and loved it, Awesome
    • Still running R80.40 but tested install HF to cluster gateways. Very Good.
    • No automatic, vendor forced update mechanism. Very Good
    • Zero downtime is a must.
  • Used it but stopped, Bummer
    • On R80.40, no repository feature. 
    • No extended logging
  • Want to use it for your next upgrade but have some question, we are here for you:
    • AFAIK there is no downgrade feature / uninstall HF (in SmartConsole)
    • No Snapshot menu in SmartConsole
    • View extended log via SmartConsole
    • LOM updates...
    • DA updates

I believe it is definitively the right direction. Great.

Regards

0 Kudos
Gregory_Azratz
Employee
Employee
‎2021-09-11 11:43 PM
In response to S_E_

Hi,

Thanks for the feedback.

regarding the uninstall/downgrade we will look into integrating this into our roadmap.

regarding snapshots - in case you are performing major upgrade, CPUSE will create a snapshot which will allow you to revert in case you have issues with the new version.

regarding the extended logs - can you provide some more details about this request

0 Kudos
S_E_
Advisor
‎2021-09-14 01:40 AM
In response to Gregory_Azratz

@Gregory_Azratz wrote:

Hi,

regarding snapshots - in case you are performing major upgrade, CPUSE will create a snapshot which will allow you to revert in case you have issues with the new version.

regarding the extended logs - can you provide some more details about this request

Revert snapshot via SmartConsole does work?

If I have to ssh/serial console to the gateway for a revert snapshot, then I could also you the classical CPUSE.

I was under impression that the whole upgrade/downgrade/hotfix will be possible via SmartConsole.

 

With extendend log, I meant something like meaningful logs (start update node1, reboot, failover,healthcheck ok,...)

 

Regards

 

 

 

0 Kudos
ScottR
Employee
Employee
‎2021-08-30 11:03 AM

All-in-all, I like the direction and simplicity of being able to upgrade via SmartConsole.  Is that a Role-Based function in the GUI?  Also, I have a customer that is required to have the ability to rollback/uninstall to a previous version/hotfix.  Will that be a menu item available through the SmartConsole as well as through the appliance's WebUI?

0 Kudos
Gregory_Azratz
Employee
Employee
‎2021-09-23 04:38 AM
In response to ScottR

Hi 

yes, the user must have Manage Licenses and Packages permissions.

regarding the rollback/uninstall its on our roadmap, but for now this option is available from the Gaia webUI / via CDT

0 Kudos
FXB
Contributor
‎2021-08-31 02:06 AM

The feature is looking great, for sure one of the better reason to upgrade to R81.

I am not sure if it is just not shown in the video but is there a way to schedule the upgrades? We got gateways in many different timezones and want to upgrade/reboot them at the specific local time so a schedule feature (which calculates the local times at best) would be good to have.

0 Kudos
Gregory_Azratz
Employee
Employee
‎2021-09-11 11:55 PM
In response to FXB

thanks for the suggestion, we will defiantly add this scenario into our future releases roadmap

0 Kudos
Daniel_
Advisor
‎2021-09-01 12:07 AM

Looks good.

Can you add an option that we have to click "Okay" for the failover? Sometimes we have to contact some customer first and do the failover during a call so everybody can view there services on time....

Gregory_Azratz
Employee
Employee
‎2021-09-05 03:23 AM
In response to Daniel_

this capability will be added in R81.20 , you will be able to install only the first member + failover (optional) and once you are OK with the result you will be able to start another job which will complete the 2nd member installation 

Perry_McGrew
Collaborator
‎2021-09-13 08:21 AM
In response to Gregory_Azratz

Having a Central Depository for JHF in SmartConsole was nice.  I tried it out applying JHF 9 to my standalone R80.10 GWs.    I have a pair of 5800's running in HA ClusterXL.  I did NOT use this it as I was not sure the order the JHF would be applied.  I always apply to Passive member first and once its back up and re-joined the HA cluster, I manually fail over the current Active member to the now updated Passive member.  Once I see traffic, I apply the JHF to the  now Passive member.   Is this the feature you speak will be in R81.20?   Also it appears I could not use this feature to apply JHF to my Mgt or standalone SmartEvent servers.   Will they be included in R81.20? 

0 Kudos
AntiSpoofing
Explorer
Explorer
‎2021-09-08 10:51 AM

Gregory,

Although it looks really nice, I have a method that is much slower and less prone to fail; but it works for me.  For a given cluster I run 4 individual ssh sessions and I verify that the connections table are within 10%. (Active/READY) Does the sync feature mean there are no dropped connections? (fw tab -t connections -s)

Again - seems like SmartUpdate v.2

0 Kudos
Gregory_Azratz
Employee
Employee
‎2021-09-23 03:46 AM
In response to AntiSpoofing

Hi @AntiSpoofing,

Thanks for sharing feedback and internal flow that you use.
When we upgrade a cluster - we use the best practices in order to achieve zero downtime for supported connections type.

regarding Smart Update - yes you are correct regarding the similarity,
but our goal is to create a single place for all the options instead of using different applications, in addition for supporting different machines type and complex flows.

0 Kudos
Martin_Valenta
Advisor
‎2021-09-14 12:04 AM

  1. CDT - great improvement for management
  2. Used to use CDT for patching/upgrades, but after adding install hotfix option via SmartConsole > install hotfix action.
  3. Gaia Embedded images - how to upgrade them quickly via management via official tool without LSM and SmartProvision? Gaia embedded still doesn't support One time Scripts and neither cannot install image as with Gaia OS. why there is still limiation?
    We do currently use below method from MDS to push image to SMB gateway and initiate upgrade:
    $CPDIR/bin/cprid_util -server xxxx -verbose rexec -rcmd bash -c 'mkdir /storage/firmware/;cd /storage/firmware/;curl_cli -k  -O   https://awesome.server/cpstuff/R80_20.img;/pfrm2.0/bin/cloud_upgrade.sh'
0 Kudos
Gregory_Azratz
Employee
Employee
‎2021-09-23 03:42 AM
In response to Martin_Valenta

Hi @Martin_Valenta,

thanks for the feedback

We are working on supporting SMB devices via SMC, in a similar flow like we did with Gaia machines - 
We are targeting this capability to one of the upcoming check point releases

0 Kudos
Christian_Koehl
Collaborator
Collaborator
‎2022-01-19 02:03 AM

Hi,


is a VSX Cluster update supported via Smart Console?

I have running a MDM with 81.10 and a VSX cluster with R80.40 and like to update the cluster also to R81.10

 

Best regards,

Christian

Gregory_Azratz
Employee
Employee
‎2022-01-25 11:40 PM
In response to Christian_Koehl

Hi @Christian_Koehl,

yes you will have the option to upgrade the VSX cluster.

we do have limitation for VSLS cluster - one by one is currently not supported, only as a single action

Boris_Karnaukh
Participant
‎2022-02-07 09:27 PM

i am still on R80.40 SmartCenter. 

I did a small test run on single gateway. jumbo hot fix got installed properly, but I have got in the end message stating that upgrade failed.

I suspect it happened because I am using MDPS (Management and Data plane separation) with this firewall. I read it as a post-upgrade check failure.

In any case I will be planning a cluster upgrade soon. Looks like I will give it a try once more.

0 Kudos
Boaz_Orshav
Employee
Employee
‎2022-02-08 03:49 AM
In response to Boris_Karnaukh

Hi Boris

  Just to clarify - when you say "upgrade" you mean upgrading the Jumbo take, correct?

  Will appreciate if you send me the error you got (boazo@checkpoint.com)

Thanks

Boaz

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top