Advanced Mode
CDT Advanced Mode completes a Deployment Plan on each remote Security Gateway.
The Deployment Plan can run a number of actions one after the other. For the full list of actions, see Deployment Plan.
Workflow
|
Step |
Description |
|---|---|
|
1 |
Connect to the command line on your Management Server you use for package distribution. |
|
2 |
Log in to the Expert mode. |
|
3 |
Make sure there is no active GUI client that locks the management database, such as SmartDashboard or SmartConsole. |
|
4 |
Install the CDT RPM package (if it is not already installed on your system) from sk111158. |
|
5 |
Edit the Configure the <CPUSE> element to specify the absolute path to the CPUSE RPM package. Important - Make sure the elements |
|
6 |
Edit the Deployment Plan XML file with the actions sequence as described in the Deployment Plan section. To save deployment time, you can create a Deployment Plan without installation actions, and run it in advance. |
|
7 |
Generate the Installation Candidates List (see below) to get a full list of the Security Gateways and Cluster Members connected to your Management Server. You can edit the Candidates List file, or create a filter file to make sure the specified Security Gateways are not included. |
|
8 |
Run the Deployment Plan. |
Generating an Installation Candidates List
To generate an Installation Candidates List (see The Candidates List), run:
|
Management Server |
Instructions |
|---|---|
|
Security Management Server |
|
|
Multi-Domain Server |
|
Note - The CDT generates a Candidates List filtered only according to the first package mentioned in the Deployment Plan.
Execution of a Deployment Plan
-
To run a Deployment Plan on Security Gateways in the in the Candidates List file (see The Candidates List), run:
Management Server
Instructions
Security Management Server
# ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xmlMulti-Domain Server
# mdsenv <IP Address or Name of Domain Management Server># ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -server=<IP Address or Name of Domain Management Server> -
Installation starts.
The CDT shows the installation progress on the screen.
CDT writes the progress details at 5 seconds intervals to these files in the
$CDTDIRdirectory:-
On a Security Management Server:
File
Description
CDT_status.txtFull description of the last completed stage and current stage of all Security Gateways and Cluster Members statuses.
CDT_status_brief.txtBrief description (current stage only) of all Security Gateways and Cluster Members statuses currently in execution. Useful if your screen area is small.
-
On a Multi-Domain Server:
File
Description
CDT_status_<Name of Domain Management Server>.txtFull description of the last completed stage and current stage of all Security Gateways and Cluster Members statuses.
CDT_status_brief_<Name of Domain Management Server>.txtBrief description (current stage only) of all Security Gateways and Cluster Members statuses currently in execution. Useful if your screen area is small.
We recommend to run the
watchcommand to read the file continuously.Example:
# watch -d cat CDT_status.txt -
-
All failures in the installation cause an error.
-
If this error is not blocking, the installation continues, and the CDT logs and status file show a successful installation.
Note - The error is not blocking, if you defined the action in the Deployment Plan with the parameter "
iscritical=false". -
If this error is blocking, the Security Gateway upgrade does not continue. The CDT sends an error report to the configured email address.
Note - The error is blocking, if you defined the action in the Deployment Plan with the parameter "
iscritical=true".
-
Limiting the Execution of a Deployment Plan
You can use one of these ways to limit the execution of a Deployment Plan to specified Security Gateways:
-
Preferred - Use a filter file. You can specify a list of Security Gateways and clusters (not Cluster Members), for which to generate the Candidates List file (see The Candidates List):
Procedure
-
Prepare a plain-text filter file with a list of the object names of each Security Gateway and Cluster objects. The object names in the file must be as they are defined in SmartDashboard or SmartConsole. Each object name in the file must be on a separate line.
-
When you generate the Candidates List, specify the filter file:
Management Server
Instructions
Security Management Server
# ./CentralDeploymentTool -generate -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File>Multi-Domain Server
# mdsenv <IP Address or Name of Domain Management Server># ./CentralDeploymentTool -generate -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File> -server=<IP Address or Name of Domain Management Server> -
When you run the Deployment Plan, specify the filter file:
Management Server
Instructions
Security Management Server
# ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File>Multi-Domain Server
# mdsenv <IP Address or Name of Domain Management Server># ./CentralDeploymentTool -execute -candidates=<Name of Candidates List file>.csv -deploymentplan=<Name of Deployment Plan file>.xml -filter=<Name of Filter File> -server=<IP Address or Name of Domain Management Server>
-
-
Use the Candidates List (see The Candidates List).
Retry Operation
If the installation failed on some of the Security Gateways, but continues on the remaining Security Gateways:
-
Manually resolve the issue on the failed Security Gateways.
-
Run a different instance of the CDT in Retry Mode for the failed Security Gateways.
CDT tries to continue execution on failed Security Gateways and Cluster Members, starting from the last failed stage. Retry is only possible when the CDT runs.
Procedure
-
Open a new SSH connection to the Management Server.
-
Run:
Management Server
Instructions
Security Management Server
# ./CentralDeploymentTool -retryMulti-Domain Server
# mdsenv <IP Address or Name of Domain Management Server># ./CentralDeploymentTool -retry -server=<IP Address or Name of Domain Management Server> -
CDT detects that one more instance of the CDT runs and notifies that CDT instance to retry the same operation on all the failed Security Gateways.
Resume Operation
If the installation failed on some of the Security Gateways, and later it is necessary to continue from the action that failed:
-
Manually resolve the issue on the failed Security Gateways.
-
Run the CDT in Resume Mode for the failed Security Gateways.
CDT detects on which Security Gateways the deployment failed and resumes the execution from the last failed action.
Procedure
-
Open a new SSH connection to the Management Server.
-
Run:
Management Server
Instructions
Security Management Server
# /CentralDeploymentTool -resume -deploymentplan=<Name of Deployment Plan file>.xmlMulti-Domain Server
# mdsenv <IP Address or Name of Domain Management Server># ./CentralDeploymentTool -resume -deploymentplan=<Name of Deployment Plan file>.xml -server=<IP Address or Name of Domain Management Server>