This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gregory_Azratz
Employee
Employee
‎2021-08-23 03:41 AM

A simple way to keep your Security Gateway up-to-date – we want to hear what you think!

Hi Checkmates community,

My name is Gregory, my group and I are responsible for different tools for machine provisioning and monitoring like – CPUSE, CDT, Zero Touch, Blink, CPveiew and more…

In this post I would like to talk to you about a “new-ish” capability that we introduced in recent version that allows you to keep you Gaia Security Gateways up to date from the comfort of your smart console.

Starting R81, we have added the option to install Hotfixes and Major version to a multiple gateways and clusters (while performing all needed operation to ensure zero down time)

You can check a short video that describes this capability

[video]

I’m reaching out in order for me and my group to get feedback about this capability –

  1. Used it and loved it, Awesome :), tell us what you liked about it?
  2. Used it but stopped, Bummer :(, tell us why?
  3. Want to use it for your next upgrade but have some question, we are here for you.

Bottom line – your feedback will be a major factor in deciding the roadmap for this capability and future enhancements so leave a comment with your inputs.

Thanks,
Gregory

Labels
38 Replies
Boris_Karnaukh
Participant
‎2022-02-08 04:30 AM
In response to Boaz_Orshav

Yes, with R80.40 only Jumbo fixes are the option. Unfortunately, error message got already washed away. Well, if I will encounter another error with next Jumbo fix, I will post the update.

0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2022-02-24 05:06 AM

In my view automation is about tools like ansible not clicking buttonds in SmartConsole. So how can we do real automation here? For example ansible playbooks to managed this all.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
_Val_
Admin
Admin
‎2022-02-24 07:56 AM
In response to Hugo_vd_Kooij

I respectively disagree, the automation is not only about ansible. 🙂

In this specific case, please let us know which APIs and automation related feature you miss. And I hear what you said already, you do want this to be present in ansible. 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-02-24 02:42 PM
In response to _Val_

I can kind of see the distinction. This feels like mechanization: a machine doing an exact series of steps under human direction. A human must still initiate the process via SmartConsole, right?

In the future, it would be nice if we could build a longer workflow, especially with integration with other tools. New GA jumbo release? A tool opens a series of tickets in my ticket tracking system. When the tickets are approved through my change control process, another tool schedules the upgrades to be executed in waves (this group of firewalls first, then the next group a week later, then another group a week after that, and so on) via CDT in appropriate windows for each firewall.

It would be nice to have API calls to:

  • Get a list of packages in the management repository, with machine-readable version, please. Something like "major-version": 81, "minor-version": 10, "jumbo-hfa": 30.
  • Get a list of packages available on the User Center with the same machine-readable version properties
  • Get the version currently on a device using the same machine-readable version properties (and a flag for whether there are any one-off hotfixes installed). Maybe just put the machine-readable version information into the 'show gateways-and-servers' results.
  • Download packages from the User Center using the package identifier
  • Either do the upgrade now or schedule the upgrade for a future date
_Val_
Admin
Admin
‎2022-02-25 06:05 AM
In response to Bob_Zimmerman

@Gregory_Azratz this is for you 🙂

0 Kudos
Gregory_Azratz
Employee
Employee
‎2022-02-28 10:56 PM
In response to Bob_Zimmerman

Hi @Bob_Zimmerman ,
thanks for the feedback.

it would be great if we can have a short session so we can fully understand how you currently install/upgrade your CP systems.
and what will be the perfect solution for you.

regarding the API calls - 

  • Get a list of packages in the management repository, with machine-readable version, please. Something like "major-version": 81, "minor-version": 10, "jumbo-hfa": 30.
    [ we are working on more friendly / structured names for the different packages ]
  • Get a list of packages available on the User Center with the same machine-readable version properties
    [ getting the packages from UC sometimes is not always relevant due to some restrictions/limitation of the actual machine that you are will be installing the package onto it]
  • Get the version currently on a device using the same machine-readable version properties (and a flag for whether there are any one-off hotfixes installed). Maybe just put the machine-readable version information into the 'show gateways-and-servers' results.
    [we will check about what can be done]
  • Download packages from the User Center using the package identifier
    [already have this capability ]
  • Either do the upgrade now or schedule the upgrade for a future date
    [already have the API for the upgrade command]
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-03-07 03:57 PM
In response to Gregory_Azratz

I've mostly been targeting APIv1.3, and it turns out I completely missed the Software Package section in the APIv1.7 documentation. Neat!

For the "Get a list of packages available on the User Center" part, it doesn't have to be an API call against the management server. It could be against some well-defined public endpoint. I just want some way to get the authoritative list of "Here's all the official packages" to programmatically discover that I'm missing an update without a human having to read an SK article. I then want to use this knowledge to file a bunch of tickets via my ticket tracking system's API. Ideally, the first awareness a human should have of this is "Hey, we have a firewall update scheduled. Does that date conflict with anything else?"

I guess I can get the major and minor version from the objects in the management. The human-defined property shouldn't ever be incorrect, or policy push wouldn't work properly. All I'm really missing now is the ability to identify that there's a newer version out and get the name of the newer package to feed to the rest of the calls.

0 Kudos
Gregory_Azratz
Employee
Employee
‎2022-02-26 11:53 PM
In response to Hugo_vd_Kooij

Hi @Hugo_vd_Kooij ,
regarding automation - we are always trying to work on API first approach.
so for each option that you see in the smart console there is an API command that can do the same and much more.
on top of that API you can use any tool that fits your need - Ansible, Terraform, etc..
you can check the following api documentation 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-07-29 11:59 AM

I finally have most of my managements (we've acquired several companies, and haven't had time to merge the managements) upgraded to R81.10, and I've been using this feature. Just upgraded a firewall from R80.30 to R81.10 in ten minutes. It's great.

I did hit one weird glitch. My management server and the firewall I was about to upgrade both had CPUSE 2205. I told the management to start the upgrade on the firewall, and it complained that I had to update CPUSE first. Turns out the firewall had somehow found out about CPUSE 2208, but the management server didn't know about it yet. The firewall can't connect out to the Internet (so I'm really not sure how it found out about 2208), and running 'installer agent update' on the management told me there was no update. Eventually, I downloaded 2208 from the Support Center, uploaded it to the management, copied it to the firewall via cprid_util putfile, installed it on both, then the upgrade worked.

This definitely wasn't a big problem, but it was surprising given how little manual intervention the tool takes otherwise. It would be nice if the firewall's knowledge of a newer version didn't prevent the management from working on it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events