Print Download PDF Send Feedback

Previous

Next

Advanced Mode

Introduction:

CDT Advanced Mode completes a Deployment Plan on each remote Security Gateway. The Deployment Plan can run a number of actions one after the other. For the full list of actions, see Deployment Plan.

Workflow:

  1. Connect to the command line on your Management Server you use for package distribution.
  2. Log in to Expert mode.
  3. Make sure there is no active GUI client that locks the management database, such as SmartDashboard or SmartConsole.
  4. Install the CDT RPM package (if it is not already installed on your system) from sk111158.
  5. Edit the CentralDeploymentTool.xml file to change the settings:
    • Configure the CPUSE element to specify the absolute path to the CPUSE RPM package.
  6. Edit the Deployment Plan XML file with the actions sequence as described in the Deployment Plan section. To save deployment time, you can create a Deployment Plan without installation actions, and run it in advance.
  7. Generate the Installation Candidates List (see below) to get a full list of the Security Gateways and Cluster Members connected to your Management Server. You can edit the Candidates List file, or create a filter file to make sure specified Security Gateways are not included.
  8. Run the Deployment Plan.

To generate an Installation Candidates List:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -generate -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml

Multi-Domain Security Management Server

# mdsenv <IP Address or Name of Domain Management Server>

 

# ./CentralDeploymentTool -generate -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -server=<IP Address or Name of Domain Management Server>

Note - The CDT generates a Candidates List filtered only according to the first package mentioned in the deployment plan.

There are two ways to limit the execution of a Deployment Plan to specified Security Gateways:

  1. Recommended - Use a filter file. You can specify a list of Security Gateways and clusters (not Cluster Members), for which to generate the Candidates List:
    1. Prepare a plain-text filter file with a list of the object names of each Security Gateway and Cluster objects. The object names in the file must be as they are defined in SmartDashboard or SmartConsole.
    2. When you generate the Candidates List, specify the filter file:

      Management Server

      Instructions

      Security Management Server

      # ./CentralDeploymentTool -generate -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File>

      Multi-Domain Security Management Server

      # mdsenv <IP Address or Name of Domain Management Server>

       

      # ./CentralDeploymentTool -generate -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File> -server=<IP Address or Name of Domain Management Server>
    3. When you run the Deployment Plan, specify the filter file as well:

      Management Server

      Instructions

      Security Management Server

      # ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File>

      Multi-Domain Security Management Server

      # mdsenv <IP Address or Name of Domain Management Server>

       

      # ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File> -server=<IP Address or Name of Domain Management Server>
  2. Use the Candidates List.

Execution:

  1. To run a Deployment Plan on Security Gateways in the Candidates List, run:

    Management Server

    Instructions

    Security Management Server

    # ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml

    Multi-Domain Security Management Server

    # mdsenv <IP Address or Name of Domain Management Server>

     

    # ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml <IP Address or Name of Domain Management Server>
  2. Installation starts.

    The CDT shows the installation progress on the screen.

    CDT writes the progress details at 5 seconds intervals to these files in the directory of the CentralDeploymentTool binary file:

    File

    Description

    CDT_status.txt

    Full description of the last completed stage and current stage of all Security Gateways and Cluster Members statuses.

    CDT_status_brief.txt

    Brief description (current stage only) of all Security Gateways and Cluster Members statuses currently in execution. Useful if your screen area is limited.

    We recommend to run the watch command to read the file continuously.

    Example:
    # watch -d cat CDT_status.txt

  3. All failures in the installation cause an error.
    • If this error is not blocking, the installation continues, and the CDT logs and status file show a successful installation.

      Note - The error is not blocking, if you defined the action in the deployment plan with the parameter "iscritical=false".

    • If this error is blocking, the Security Gateway upgrade does not continue. The CDT sends an error report to the configured email address.

      Note - The error is blocking, if you defined the action in the deployment plan with the parameter "iscritical=true".

Retry:

If the installation failed on some of the Security Gateways, but continues on the remaining Security Gateways:

  1. Manually resolve the issue on the failed Security Gateways
  2. Run a different instance of the CDT in Retry Mode for the failed Security Gateways

CDT tries to continue execution on failed Security Gateways and Cluster Members, starting from the last failed stage. Retry is only possible when the CDT runs. To perform retry:

  1. Open a new SSH connection to the Management Server.
  2. Run:

    Management Server

    Instructions

    Security Management Server

    # ./CentralDeploymentTool -retry

    Multi-Domain Security Management Server

    # mdsenv <IP Address or Name of Domain Management Server>

     

    # ./CentralDeploymentTool -retry <IP Address or Name of Domain Management Server>
  3. CDT detects that one more instance of the CDT runs and notifies that CDT instance to retry the same operation on all the failed Security Gateways.
18 October 2018
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2018 Check Point Software Technologies Ltd. All rights reserved.