CDT in Gaia Clish

Background

Starting from version 1.9.0, you can run the CDT commands from Gaia Clish with the help of the Gaia Dynamic CLI (see sk144112).

Dynamic CLI enhances Gaia Clish with commands from the Expert mode.

Each CLI command is granted with the full set of Role Based Access capabilities, from read-write granularity to a varied number of roles and permission levels (depending on your needs).

The Dynamic CLI commands have the same syntax, concept, and documentation as the Gaia Clish commands.

Dynamic CLI was created for these purposes:

  • To secure access to the "Expert" capabilities without compromising the "Expert" passwords or sharing all the "Expert" capabilities.

  • To separate between monitor roles or read-only users and administrators.

    For example, users with monitor roles can see Security Gateway logs without an access to the "Expert" space.

Installation Instructions

Management Server Version Installation Instructions

R81.10 and higher

The minimum required CDT version is integrated.

R81

Install the CDT package v1.9.0 or higher from sk111158.

R80.40

Follow these steps:

  1. Install the R80.40 Jumbo Hotfix Accumulator Take 77 or higher.

  2. Install the CDT package v1.9.0 or higher from sk111158.

  3. Run this script in the Expert mode:

    /opt/CPcdt/Clish_Cdt_Installer.py

(End of Life since Sep 2022)

R80.30

Follow these steps:

  1. Install the R80.30 Jumbo Hotfix Accumulator Take 215 or higher.

  2. Install the latest Gaia Dynamic CLI from sk144112.

  3. Install the CDT package v1.9.0 or higher from sk111158.

  4. Run this script in the Expert mode:

    /opt/CPcdt/Clish_Cdt_Installer.py

(End of Life since Sep 2022)

R80.20.M2

R80.20

R80.20.M1

R80.10

Follow these steps:

  1. Install the latest Gaia Dynamic CLI from sk144112.

  2. Install the CDT package v1.9.0 or higher from sk111158.

  3. Run this script in the Expert mode:

    /opt/CPcdt/Clish_Cdt_Installer.py

Description of Directories

During the installation, the CDT creates these directories:

Directory Description

/opt/CPcdt/CandidateListsRepository/

Repository to keep the Installation Candidates List Files that Gaia Clish users create.

Gaia Clish users have a "read" and "write" access to this directory.

For security reasons, all Installation Candidates List Files are located in this directory.

/opt/CPcdt/DeploymentPlanRepository/

Repository to keep the Deployment Plan Files that Gaia Clish users configure.

Gaia Clish users have a "read" and "write" access to this directory.

For security reasons, all Deployment Plan Files are located in this directory.

Important Note for Multi-Domain Security Management Server:

A SuperUser must manually create the Deployment Plan Files directory for each applicable Domain Management Server.

The required permissions for this directory are "read" (r), "write" (w), and "execute" (x).

Run this command in the Expert mode on the Multi-Domain Security Management Server:

mkdir –m777 /opt/CPcdt/DeploymentPlanRepository/<Name of Domain Management Server as configured in SmartConsole>

CDT Syntax in Gaia Clish

Syntax for all commands:

show cdt[ESC][ESC]

set cdt[ESC][ESC]

start cdt[ESC][ESC]

Syntax for the 'show' commands:

show cdt
      candidates
            candidates-list "<Path to Installation Candidates List File>.csv"
                  server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
                  [session <Name of Management Session without Spaces>]
      execute-output
            server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
            [session <Name of Management Session without Spaces>]
      generate-output
            server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
            [session <Name of Management Session without Spaces>]
      status
            server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
            [session <Name of Management Session without Spaces>]

Note:

The parameter "session <Name of Management Session without Spaces>" is optional (available from CDT v1.9.8).

Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Parameter Description

show cdt candidates

Shows all Installation Candidates List Files.

show cdt candidates candidates-list "<Path to Installation Candidates List File>.csv" [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Shows the specified Installation Candidates List File on the Security Management Server (in the specified Management Session).

show cdt candidates candidates-list "<Path to Installation Candidates List File>.csv" server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Shows the specified Installation Candidates List File for the specified Domain Management Server (in the specified Management Session).

show cdt execute-output

Shows the output of the last 'start cdt execute' command.

show cdt execute-output [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Shows the output of the last 'start cdt execute' (in the specified Management Session).

show cdt execute-output server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Shows the output of the last 'start cdt execute' command on the specified Domain Management Server (in the specified Management Session).

show cdt generate-output

Shows the output of the last 'start cdt generate-candidates' command.

show cdt generate-output [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Shows the output of the last 'start cdt generate-candidates' command (in the specified Management Session).

show cdt generate-output server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Shows the output of the last 'start cdt generate-candidates' command on the specified Domain Management Server (in the specified Management Session).

show cdt status

Shows the installation progress.

CDT updates this information in the background in the applicable file each 5 seconds.

show cdt status [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Shows the installation progress (in the specified Management Session).

CDT updates this information in the background in the applicable file each 5 seconds.

show cdt status server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Shows the installation progress on the specified Domain Management Server (in the specified Management Session).

CDT updates this information in the background in the applicable file each 5 seconds.

Syntax for the 'set' commands:

set cdt candidates
      candidates-list "<Path to Installation Candidates List File>.csv"
            disable-candidate <Name of Security Gateway or Cluster Member Object>
                  server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
                  [session <Name of Management Session without Spaces>]
            enable-candidate <Name of Security Gateway or Cluster Member Object>
                  server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
                  [session <Name of Management Session without Spaces>]

Note:

The parameter "session <Name of Management Session without Spaces>" is optional (available from CDT v1.9.8).

Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Parameter Description

set cdt candidates candidates-list "<Path to Installation Candidates List File>.csv"

Edits the specified Installation Candidates List File.

set cdt candidates candidates-list "<Path to Installation Candidates List File>.csv" disable-candidate <Name of Security Gateway or Cluster Member Object> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Disables the specified Security Gateway or Cluster Member object in the Installation Candidates List File (in the specified Management Session).

You must enter the name of the Security Gateway or Cluster Member object must be as configured in SmartConsole.

set cdt candidates candidates-list "<Path to Installation Candidates List File>.csv" disable-candidate <Name of Security Gateway or Cluster Member Object> server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Disables the specified Security Gateway or Cluster Member object in the Installation Candidates List File on the specified Domain Management Server (in the specified Management Session).

You must enter the name of the Security Gateway or Cluster Member object must be as configured in SmartConsole.

set cdt candidates candidates-list "<Path to Installation Candidates List File>.csv" enable-candidate <Name of Security Gateway or Cluster Member Object> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Enables the specified Security Gateway or Cluster Member object in the Installation Candidates List File (in the specified Management Session).

You must enter the name of the Security Gateway or Cluster Member object must be as configured in SmartConsole.

set cdt candidates candidates-list "<Path to Installation Candidates List File>.csv" enable-candidate <Name of Security Gateway or Cluster Member Object> server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Enables the specified Security Gateway or Cluster Member object in the Installation Candidates List File on the specified Domain Management Server (in the specified Management Session).

You must enter the name of the Security Gateway or Cluster Member object must be as configured in SmartConsole.

Syntax for the 'start' commands:

start cdt
      execute
            deployment-plan "<Path to Deployment Plan File>"
                  candidates-list "<Path to Installation Candidates List File>.csv"
                        server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
                        [session <Name of Management Session without Spaces>]
                  filter <Path to Filter File>
                        server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
                        [session <Name of Management Session without Spaces>]
      generate-candidates
            deployment-plan "<Path to Deployment Plan File>"
                  candidates-list "<Path to Installation Candidates List File>.csv"
                        server <IP Address or Name of Domain Management Server>
                  filter <Path to Filter File>
                        candidates-list "<Path to Installation Candidates List File>.csv"
                              server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]
                              [session <Name of Management Session without Spaces>]

Notes:

  • The CDT automatically looks for the specified Installation Candidates List File in the /opt/CPcdt/CandidateListsRepository/ directory.

    Example file name: "Candidates.csv"

  • The CDT automatically looks for the specified Deployment Plan File in the /opt/CPcdt/DeploymentPlanRepository/ directory.

    Example file name: "DeploymentPlan.xml"

  • SNIPPET: This explanation is for Gaia ClishThe parameter "session <Name of Management Session without Spaces>" is optional (available from CDT v1.9.8).Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Parameter Description

start cdt execute

Runs a Deployment Plan File on Security Gateways and Cluster Members.

You must specify the Installation Candidates List File.

start cdt execute deployment-plan "<Path to Deployment Plan File, including File Extension>" candidates-list "<Path to Installation Candidates List File>.csv" [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Runs the specified Deployment Plan File on Security Gateways and Cluster Members listed in the specified Installation Candidates List File (in the specified Management Session).

start cdt execute deployment-plan "<Path to Deployment Plan File, including File Extension>" candidates-list "<Path to Installation Candidates List File>.csv" server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Runs the specified Deployment Plan File on Security Gateways and Cluster Members listed in the specified Installation Candidates List File on the specified Domain Management Server (in the specified Management Session).

start cdt execute deployment-plan "<Path to Deployment Plan File, including File Extension>" filter <Path to Filter File, including File Extension> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Runs the specified Deployment Plan File on Security Gateways and Cluster Members listed in the specified Filter File (in the specified Management Session).

Description of a Filter File:

  • A plain-text file with a list of the object names of applicable Security Gateways and Clusters (not Cluster Members).

  • The object names in the file must be as they are configured in SmartConsole or SmartDashboard.

  • You must write each object name on a separate line in this file.

  • You can save this file anywhere on the hard disk.

    The CDT only reads this file (and does not modify it).

start cdt execute deployment-plan "<Path to Deployment Plan File, including File Extension>" filter <Path to Filter File, including File Extension> server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Runs the specified Deployment Plan File on Security Gateways and Cluster Members listed in the specified Installation Candidates List File on the specified Domain Management Server (in the specified Management Session).

The command runs the specified Deployment Plan File for specific Security Gateways and Cluster Members listed in the Filter File.

Description of a Filter File:

  • A plain-text file with a list of the object names of applicable Security Gateways and Clusters (not Cluster Members).

  • The object names in the file must be as they are configured in SmartConsole or SmartDashboard.

  • You must write each object name on a separate line in this file.

  • You can save this file anywhere on the hard disk.

    The CDT only reads this file (and does not modify it).

start cdt generate-candidates deployment-plan "<Path to Deployment Plan File, including File Extension>"

Creates the Installation Candidates List File.

The command runs the specified Deployment Plan File.

start cdt generate-candidates deployment-plan "<Path to Deployment Plan File, including File Extension>" candidates-list "<Path to Installation Candidates List File>.csv" [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Creates the Installation Candidates List File and saves the output to the specified file.

The command runs the specified Deployment Plan File (in the specified Management Session).

start cdt generate-candidates deployment-plan "<Path to Deployment Plan File, including File Extension>" candidates-list "<Path to Installation Candidates List File>.csv" server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Creates the Installation Candidates List File and saves the output to the specified file.

The command runs the specified Deployment Plan File on the specified Domain Management Server (in the specified Management Session).

start cdt generate-candidates deployment-plan "<Path to Deployment Plan File, including File Extension>" filter <Path to Filter File, including File Extension>

Creates the Installation Candidates List File for objects of specific Security Gateways and Clusters listed in the specified Filter File.

The command runs the specified Deployment Plan File.

Description of a Filter File:

  • A plain-text file with a list of the object names of applicable Security Gateways and Clusters (not Cluster Members).

  • The object names in the file must be as they are configured in SmartConsole or SmartDashboard.

  • You must write each object name on a separate line in this file.

  • You can save this file anywhere on the hard disk.

    The CDT only reads this file (and does not modify it).

start cdt generate-candidates deployment-plan "<Path to Deployment Plan File, including File Extension>" filter <Path to Filter File, including File Extension> candidates-list "<Path to Installation Candidates List File>.csv" [session <Name of Management Session without Spaces>]

Note - This command applies only to the Security Management Server.

Creates the Installation Candidates List File for objects of specific Security Gateways and Clusters listed in the specified Filter File.

The command runs the specified Deployment Plan File for specific Security Gateways and Cluster Members listed in the Filter File (in the specified Management Session).

The command saves the output to the specified file.

Description of a Filter File:

  • A plain-text file with a list of the object names of applicable Security Gateways and Clusters (not Cluster Members).

  • The object names in the file must be as they are configured in SmartConsole or SmartDashboard.

  • You must write each object name on a separate line in this file.

  • You can save this file anywhere on the hard disk.

    The CDT only reads this file (and does not modify it).

start cdt generate-candidates deployment-plan "<Path to Deployment Plan File, including File Extension>" filter <Path to Filter File, including File Extension> candidates-list "<Path to Installation Candidates List File>.csv" server <IP Address or Name of Domain Management Server> [session <Name of Management Session without Spaces>]

Note - This command applies only to the Multi-Domain Security Management Server.

Creates the Installation Candidates List File for objects of specific Security Gateways and Clusters listed in the specified Filter File.

The command runs the specified Deployment Plan File on the specified Domain Management Server (in the specified Management Session).

The command saves the output to the specified file.

Description of a Filter File:

  • A plain-text file with a list of the object names of applicable Security Gateways and Clusters (not Cluster Members).

  • The object names in the file must be as they are configured in SmartConsole or SmartDashboard.

  • You must write each object name on a separate line in this file.

  • You can save this file anywhere on the hard disk.

    The CDT only reads this file (and does not modify it).

Gaia Clish Permissions for CDT Commands

To run specific CDT commands in Gaia Clish, a Gaia administrator must configure the feature cdt in the applicable user role.

CDT Commands in Gaia Clish Gaia Clish Requirement

show cdt

There are no requirements.

set cdt

To run these commands, a Gaia administrator must configure the feature cdt (Central Deployment Tool) with the Read / Write permission in the applicable user role.

start cdt

To run these commands, a Gaia administrator must configure the feature cdt (Central Deployment Tool) with the Read / Write permission in the applicable user role.

For more information about Gaia roles, see the Gaia Administration Guide for your version of the Management Server (Chapter "User Management").

Examples

MgmtServer> show cdt candidates candidates-list test.csv
Central Deployment Tool Candidates List:
=========================================

****************************
Generation time: 23-09-2020 15:48:21
This installation candidates list was generated for use with the following deployment plan (Name, MD5 sum):
/var/log/CPcdt/logs_2020-09-23-15-47-43/DepPlan.xml, 67f3b9a71a5c3b8d51c51c9c1d63f3bb
****************************

         Object Name ,         Cluster Name ,      IP Address ,  Version/JHF Take ,                State , Upgrade Order
========================================================================================================================


                 gw1 ,             cluster1 ,     172.29.0.80 ,        R80.20/205 ,               active ,             1
                 gw2 ,             cluster1 ,     172.29.0.79 ,        R80.20/205 ,              standby ,             1

MgmtServer> show cdt status
==================================================== Current execution status ====================================================

Deployment plan file: /var/log/CPcdt/logs_2020-09-23-15-53-43/DepPlan.xml

Initialize all candidates for execute

Last updated at: 15:54:19

MgmtServer> show cdt generate-output
Wed Sep 23 15:47:43 2020 *E* [Main]: The SendTo setting in the CentralDeploymentTool.xml file is not empty, but an email server is not configured in Gaia. Notification email will not be sent.
Wed Sep 23 15:47:45 2020 *A* [Main]: Central Deployment Tool (version 1.9.0 build #990180576)
Wed Sep 23 15:47:45 2020 *A* [Main]: ========================================================

Wed Sep 23 15:47:45 2020 *A* [Main]: Current execution logs are in: /var/log/CPcdt/logs_2020-09-23-15-47-43/
Wed Sep 23 15:47:45 2020 *N* [Main]: Please wait while generating the installation candidates list...
Wed Sep 23 15:47:45 2020 *N* [Main]: This process may take a few minutes.
Wed Sep 23 15:48:21 2020 *N* [Main]: The generated candidates list is: /opt/CPcdt/CandidateListsRepository/test.csv

Wed Sep 23 15:48:21 2020 *N* [Main]:
Central Deployment Tool Candidates List:
=========================================

****************************
Generation time: 23-09-2020 15:48:21
This installation candidates list was generated for use with the following deployment plan (Name, MD5 sum):
/var/log/CPcdt/logs_2020-09-23-15-47-43/DepPlan.xml, 67f3b9a71a5c3b8d51c51c9c1d63f3bb
****************************

         Object Name ,         Cluster Name ,      IP Address ,  Version/JHF Take ,                State , Upgrade Order
========================================================================================================================


                 gw1 ,             cluster1 ,     172.29.0.80 ,        R80.20/205 ,               active ,             1
                 gw2 ,             cluster1 ,     172.29.0.79 ,        R80.20/205 ,              standby ,             1

Wed Sep 23 15:48:21 2020 *N* [Main]: Total execution time: 0 hours 0 minutes 37 seconds

MgmtServer> set cdt candidates candidates-list test.csv disable-candidate gw1
Candidate file was changed successfully.

MgmtServer> start cdt generate-candidates deployment-plan DepPlan.xml candidates-list test.csv
Operation started. To see the command result view the output.(ID: 1)

MgmtServer> start cdt execute deployment-plan DepPlan.xml candidates-list test.csv
Operation started. To see the command result run: show cdt status...(ID: 2)