Deployment Plan File

In the CDT Advanced Mode (see Advanced Mode), you can configure a sequence of actions for remote Security Gateways and Cluster Members in a user-define XML file called "Deployment Plan File". This is an XML file, which you create in a desired location with a desired name.

Copy

The XML structure of a Deployment Plan File:

<?xml version="1.0" encoding="UTF-8"?>
 <CDT_Deployment_Plan>
  <plan_settings>
    <name value="YOUR NAME" />
    <description value="YOUR DESCRIPTION" />
    <update_cpuse value="true" />
    <connectivityupgrade value="true" />
  </plan_settings>

  <!-- YOUR COMMENT FOR THIS ACTION -->
  <ACTION ATTRIBUTE="VALUE" />

  <!-- YOUR COMMENT FOR THIS ACTION -->
  <ACTION ATTRIBUTE="VALUE" />

  ....

 </CDT_Deployment_Plan>

Plan Settings

The "<plan_settings>" section in a Deployment Plan File contains:

Attribute

Default value

Description

name

None

Holds the name of the Deployment Plan File.

description

None

Holds the description of the Deployment Plan File.

update_cpuse

true

Specifies whether to update the CPUSE Agent on a remote Security Gateway before CDT does other actions.

connectivityupgrade

true

Specifies whether to keep the current connections when you upgrade a cluster.

If the value of this attribute is "true", CDT uses the:

  • Multi-Version Cluster (MVC) Upgrade when you upgrade to R80.40 or higher.

  • Full Connectivity Upgrade (FCU) when you upgrade to R80.30 or lower.

Supported Actions

You can configure actions in a Deployment Plan File.

Important - By default, each action has a blocking behavior (has the implied attribute iscritical="true").

If an action fails, then the CDT stops the entire deployment.

You can configure the applicable actions as non-blocking.

If do so, and the action fails, the CDT continues to the next specified action.

To configure an action as non-blocking, at the end of the action syntax add this attribute: iscritical="false"

Example:

<execute_script path="/home/admin/cdt/preScript.sh" iscritical="false" />

Table: Supported actions

Supported Action

Description and Attributes

create_snapshot

Creates a Gaia snapshot.

Attributes:

  • name - The name of the snapshot to create.

  • description - The description of the snapshot.

Example:

<create_snapshot name="Backup_JHA" description="Backup snapshot before Jumbo Hotfix Accumulator installation" />

download_from_cloud

Downloads a package from the Check Point Cloud with CPUSE.

Attributes:

  • path - Path to the package file on the Management Server (you must provide the package on the Management Server, even if the Security Gateways download it directly from the Check Point Cloud).

Example:

<download_from_cloud path="/var/log/Check_Point_R81_JUMBO_HF_Bundle_T10_sk170114_FULL.tar" />

execute_command

Runs a command on the Security Gateway in Bash shell (Expert mode).

Note - Do not use special characters in your command (">", "|", "*", or other Bash-specific characters).

Attributes:

  • command - The command you run.

Example:

<execute_command command="cphaconf mvc on" />

execute_script

Runs a user shell script on the Security Gateway.

Notes:

  • All user scripts configured for the CDT to run, must contain full paths for each instance of a file.

  • Reboot is not allowed in the user script. The script must exit with a return code. To reboot the Security Gateway, use exit code 222.

Attributes:

  • path - The full local path to the user script file on the Management Server.

  • execute_always - Optional. If the value is set to "true", always runs the specified script. The default value is "false".

Example:

<execute_script path="/home/admin/GetInformation.sh" execute_always="true" iscritical="false" />

import_package

Sends a package to the remote Security Gateway (to the /var/log/upload/ directory) and imports it with CPUSE.

If you already sent the package with the "send_package" action, this action only imports the package on the remote Security Gateway.

Required before you install the package.

Attributes:

  • path - The full path on the Management Server to the package file you send.

Example:

<import_package path="/var/log/Check_Point_R81_JUMBO_HF_Bundle_T10_sk170114_FULL.tar" />

install_package

Installs a package with CPUSE and validates that security policy is installed.

When you upgrade one Security Gateway, runs the Prepare New Policy test before the package installation to make sure there is an updated policy for the Security Gateway to fetch.

When you install a Hotfix on a cluster, runs the Cluster Validation test after policy validation.

Attributes:

  • path - The full path on the Management Server to the package file you install.

Example:

<install_package path="/var/log/Check_Point_R81_JUMBO_HF_Bundle_T10_sk170114_FULL.tar" />

log

Generates a log message.

Attributes:

  • level - The logging level of this message (DEBUG, NORMAL, ERROR, ALWAYS).

  • value - The message text.

Example:

<log level="NORMAL" value="Finished installing a major upgrade." />

pull_file

Downloads a file from the remote Security Gateway to the Management Server.

The file is saved with a prefix of the Security Gateway's object name (for example, cluster01a_myfile.txt).

Attributes:

  • remote_path - The full remote path and filename you download on the remote Security Gateway. Use a full path with a file name, not only a directory.

  • local_dir - The full path on the Management Server to the directory, where you save the downloaded file.

Limitations:

  • The size of the file must be less than 1 GB.

Example:

<pull_file remote_path="/var/log/MyFile.txt" local_dir="/var/log/" />

push_file

Uploads a file from the Management Server to the remote Security Gateway.

Attributes:

  • local_path - The full local path and filename on the Management Server to the file you upload.

  • remote_path - The full remote path and filename on the remote Security Gateway, where you upload the file.

Example:

<push_file local_path="/var/log/MyFile_for_GW1.txt" remote_path="/var/log/MyFile.txt" />

reboot

Reboots the remote Security Gateway.

Attributes:

  • None.

Example:

<reboot/>

send_email

Sends an email message.

Attributes:

  • to - The email recipient.

  • subject - The email subject.

  • body - The email body.

Example:

<send_email to="admin@example.com" subject="Major upgrade was completed" body="Finished the installation of R81 major upgrade, preparing to install the R81 JHA" />

send_package

Sends a package to the remote Security Gateway (to the /var/log/upload/ directory) and does not import it with CPUSE.

Required before you install the package.

Attributes:

  • path - The full path on the Management Server to the package file you send.

Example:

<send_package path="/var/log/Check_Point_R81_JUMBO_HF_Bundle_T10_sk170114_FULL.tar" />

uninstall_cpuse_package

Uninstalls a package with CPUSE.

Attributes:

  • filename - The file name (not the full path) of the package file you uninstall.

Example:

<uninstall_cpuse_package filename="Check_Point_R81_JUMBO_HF_Bundle_T10_sk170114_FULL.tar" />

uninstall_legacy_package

Important - This action is deprecated in CDT v1.9.4 and higher.

Uninstalls a legacy package (a package that was installed with the Legacy Installation procedure in Expert mode CLI).

Attributes:

  • filename - The Hotfix name you uninstall.

Example:

<uninstall_legacy_package filename="R77_30_JHF_HF1.tgz" />

verify_package

Examines an imported package with CPUSE if it is possible to install it on the remote Security Gateway.

You must import the package on the remote Security Gateway.

Attributes:

  • path - The full path on the Management Server to the package file you examine.

Example:

<verify_package path="/var/log/Check_Point_R81_JUMBO_HF_Bundle_T10_sk170114_FULL.tar" />

Example Deployment Plan Files

This section provides example Deployment Plan Files.