Deployment Plan

In the CDT Advanced Mode (see Advanced Mode), you can define a sequence of actions for remote Security Gateways.

Structure of the XML file for a Deployment Plan:

<?xml version="1.0" encoding="UTF-8"?>
 <CDT_Deployment_Plan>
  <plan_settings>
  <name value="YOUR NAME" />
  <description value="YOUR DESCRIPTION" />
  <update_cpuse value="true" />
  <connectivityupgrade value="true" />
  </plan_settings>

  <!-- YOUR COMMENT FOR THIS ACTION -->
  <ACTION ATTRIBUTE="VALUE" />

  <!-- YOUR COMMENT FOR THIS ACTION -->
  <ACTION ATTRIBUTE="VALUE" />

  ....

 </CDT_Deployment_Plan>

Plan Settings

The <plan_settings> section in a Deployment Plan file contains:

Attribute

Default value

Description

name

None

Holds the name of the Deployment Plan.

description

None

Holds the description of the Deployment Plan.

update_cpuse

true

Defines whether to update the CPUSE Agent on a remote Security Gateway before CDT does other actions.

connectivityupgrade

true

Defines whether to run a Connectivity Upgrade when you upgrade a cluster.

Supported Actions

You can define actions in a Deployment Plan file.

Table: Supported actions

Supported Action

Description and Attributes

create_snapshot

Creates a Gaia snapshot.

Attributes:

  • name - The name of the snapshot to create.

  • description - The description of the snapshot.

download_from_cloud

Downloads a package from the Check Point Cloud with CPUSE.

Attributes:

  • path - Path to the package file on the Management Server (you must provide the package on the Management Server, even if the Security Gateways download it directly from the Check Point Cloud).

execute_command

Runs a command on the Security Gateway in Bash shell (Expert mode).

Note - Do not use special characters in your command (">", "|", "*", or other Bash-specific characters).

Attributes:

  • command - The command you run.

execute_script

Runs a user shell script on the Security Gateway.

Notes:

  • All user scripts defined for the CDT to run, must contain full paths for each instance of a file.

  • Reboot is not allowed in the user script. The script must exit with a return code. To reboot the Security Gateway, use exit code 222.

Attributes:

  • path - The full local path on the remote Security Gateway to the user script file you run.

  • execute_always - Optional. If the value is set to "true", always runs the specified script. The default value is "false".

    Example:

    <execute_script path="/home/admin/GetInformation.sh" iscritical="false" execute_always="true"/>

import_package

Sends a package to the remote Security Gateway (to the /var/log/upload/ directory) and imports it with CPUSE. If the package was already sent with the send_package, this only imports it on the remote Security Gateway.

Required before you install the package.

Attributes:

  • path - The full path on the Management Server to the package file you send.

install_package

Installs a package with CPUSE and validates that security policy is installed.

When you upgrade one Security Gateway, runs the Prepare New Policy stage before the package installation to make sure there is an updated policy for the Security Gateway to fetch.

When you install a Hotfix in a cluster, runs the Cluster Validation stage after policy validation.

Attributes:

  • path - The full path on the Management Server to the package file you install.

log

Generates a log message.

Attributes:

  • level - The logging level of this message (DEBUG, NORMAL, ERROR, ALWAYS).

  • value - The message text.

pull_file

Downloads a file from the remote Security Gateway to the Management Server.

The file is saved with a prefix of the Security Gateway's object name (for example, cluster01a_myfile.txt).

Attributes:

  • remote_path - The full remote path and filename you download on the remote Security Gateway. Use a full path with a file name, not only a directory.

  • local_dir - The full path on the Management Server to the directory, where you save the downloaded file.

Limitations:

  • The size of the file must be less than 1 GB.

push_file

Uploads a file from the Management Server to the remote Security Gateway.

Attributes:

  • local_path - The full local path and filename on the Management Server to the file you upload.

  • remote_path - The full remote path and filename on the remote Security Gateway, where you upload the file.

reboot

Reboots the remote Security Gateway.

Attributes:

  • None.

send_email

Sends an email message.

Attributes:

  • to - The email recipient.

  • subject - The email subject.

  • body - The email body.

send_package

Sends a package to the remote Security Gateway (to the /var/log/upload/ directory) and does not import it with CPUSE.

Required before you install the package.

Attributes:

  • path - The full path on the Management Server to the package file you send.

uninstall_cpuse_package

Uninstalls a package with CPUSE.

Attributes:

  • filename - The file name (not the full path) of the package file you uninstall.

uninstall_legacy_package

Uninstalls a legacy package (a package that was installed with the Legacy Installation method in Expert mode CLI).

Attributes:

  • filename - The Hotfix name you uninstall.

verify_package

Examines an imported package with CPUSE if it is possible to install it on the remote Security Gateway.

You must import the package on the remote Security Gateway.

Attributes:

  • path - The full path on the Management Server to the package file you examine.

Example Deployment Plan Files

This section provides example Deployment Plan files.

This example Deployment Plan does these actions on all applicable Security Gateways:

  1. Backs up the file /opt/productname/conf.txt on the remote Security Gateway to the /opt/CPcdt/ConfigurationBackupFiles/ directory on the Management Server.

  2. Sends a file /opt/CPcdt/conf.txt from the Management Server to the remote Security Gateway as the /opt/productname/conf.txt file.

Example XML file for this Deployment Plan:

<?xml version="1.0" encoding="UTF-8"?>
 <CDT_Deployment_Plan>
  <plan_settings>
  <name value="Change configuration file" >
  <description value="Example Deployment Plan - replace a file" />
  <update_cpuse value="true" />
  </plan_settings>

  <!-- Backup the configuration file -->
  <pull_file remote_path="/opt/productname/conf.txt" local_dir="/opt/CPcdt/ConfigurationBackupFiles/" />

  <!-- Push the new configuration file -->
  <push_file local_path="/opt/CPcdt/conf.txt" remote_path="/opt/productname/conf.txt" />
 <CDT_Deployment_Plan>

This example Deployment Plan does these actions on all applicable Security Gateways:

  1. Runs the script getInformation.sh, found on the Management Server in the /home/admin/ directory.

    This script:

    1. Collects the desired information on the remote Security Gateway (such as the installed policy, the installed license, and so on)

    2. Saves its log to the /home/admin/log.txt file on the remote Security Gateway

    Example script:

    #!/bin/bash
LOG_FILE="/home/admin/log.txt"
cpstat -f policy >> $LOG_FILE
cplic print -x >> $LOG_FILE
exit 0

  2. Pulls the file /home/admin/log.txt from the remote Security Gateway and saves it in the /opt/CPcdt/information/ directory on the Management Server.

Example XML file for this Deployment Plan:

<?xml version="1.0" encoding="UTF-8"?>
 <CDT_Deployment_Plan>
  <plan_settings>
  <name value="Get information from the " />
  <description value="Example Deployment Plan - run a script to get information" />
  <update_cpuse value="true" />
  </plan_settings>
  
  <!-- The script 'getInformation.sh' redirects its output to the '/home/admin/log.txt' -->
  <execute_script path="/home/admin/getInformation.sh" />
  <pull_file remote_path="/home/admin/log.txt" local_dir="/opt/CPcdt/information/" />
 </CDT_Deployment_Plan>

This example Deployment Plan does these actions on all applicable Security Gateways:

  1. Takes the Gaia snapshot on the remote Security Gateway.

  2. Downloads the CPUSE package of the R80.10 Jumbo Hotfix Accumulator from the Check Point Cloud on the remote Security Gateway.

    The package download action on the remote Security Gateway is not marked as critical.

  3. If the package download on the remote Security Gateway fails, the CDT sends the package from the Management Server to the remote Security Gateway and imports it with CPUSE.

    If the package download on the remote Security Gateway succeeds, the CDT does not send the package from the Management Server to the remote Security Gateway.

  4. Installs the package on the remote Security Gateway.

Example XML file for this Deployment Plan:

<?xml version="1.0" encoding="UTF-8"?>
 <CDT_Deployment_Plan>
  <plan_settings>
  <name value="Example Deployment Plan - take snapshot and install a package" />
  <description value="Create snapshot and then install HF on the remote machines" />
  <update_cpuse value="true" />
  </plan_settings>

  <!-- Create a snapshot on remote machine -->
  <create_snapshot name="backup" description=" backup snapshot before Jumbo installation" />

  <!-- Install Jumbo for - XXX
  If the download from the CP Cloud fails, use the CDT import and install actions -->

  <!-- (1) Download this package (not critical) -->
  <download_from_cloud path="/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T97_FULL.tgz" iscritical="false" />

  <!-- (2) If download from CP Cloud failed, use the CDT import and install actions -->
  <import_package path="/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T97_FULL.tgz" />
  <install_package path="/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T97_FULL.tgz" />
 </CDT_Deployment_Plan>

This example Deployment Plan does these actions on all applicable Security Gateways:

  1. Sends the package from the Management Server (from /home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T97_FULL.tgz) to the remote Security Gateway and imports it with CPUSE.
  2. Verifies the package with CPUSE on the remote Security Gateway to make sure it can be installed.

Example XML file for this Deployment Plan:

<?xml version="1.0" encoding="UTF-8"?>
 <CDT_Deployment_Plan>
  <plan_settings>
  <name value="Example Deployment Plan - update, send, import, and verify the package" />
  <description value="Update , import and verify the package on the remote machines" />
  <update_cpuse value="true" />
  </plan_settings>
  
  <!-- Use the CDT import and verify actions -->
  <import_package path="/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T97_FULL.tgz" />
  <verify_package path="/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T97_FULL.tgz" />
 </CDT_Deployment_Plan>

This example Deployment Plan does these actions on all applicable Security Gateways:

  1. Runs the script preScript.sh, found on the Security Management Server or Multi-Domain Security Management Server in the /home/admin/cdt/ directory. This script is not marked as critical.

  2. Uninstalls the CPUSE package of the R75.46 Jumbo Hotfix Accumulator.

  3. Imports and installs the CPUSE package for the R77.30 Major Upgrade (from /home/admin/R77.30_Install_and_Upgrade.tgz).

    On clusters, the Connectivity Upgrade is deactivated, because the value of the attribute "ConnectivityUpgrade" is "false".

  4. Adds a log entry and sends an email message noting that the installation completed.

  5. Imports and installs the package for the R77.30 Hotfix2 (from /home/admin/R77.30_HF2.tgz).

  6. Pulls the file /home/admin/file_to_pull.txt from the Security Gateways and saves it in the /home/admin/ directory on the Security Management Server or Multi-Domain Security Management Server.

Example XML file for this Deployment Plan:

<?xml version="1.0" encoding="UTF-8"?>
 <CDT_Deployment_Plan>
  <plan_settings>
  <name value="Example Deployment Plan" />
  <description value="Example Deployment Plan - Run a script, uninstall a hotfix, upgrade, install a hotfix, log and send email, pull a file" />
  <update_cpuse value="true" />
  <connectivityupgrade value="false" />
  </plan_settings>

  <!-- Path to the script -->
  <execute_script path="/home/admin/cdt/preScript.sh" iscritical="false" />

  <!-- Use the CDT uninstall actions -->
  <uninstall_cpuse_package filename="R75.46_JUMBO_HF.tgz" />

  <!-- Use the CDT import and install actions to upgrade -->
  <import_package path="/home/admin/R77.30_Install_and_Upgrade.tgz" />
  <install_package path="/home/admin/R77.30_Install_and_Upgrade.tgz" />

  <!-- Create a log -->
  <log level="NORMAL" value="Completed the installation of major upgrade." />

  <!-- Send an email -->
  <send_email to="cdt.admin@checkpoint.com" subject="Major upgrade completed" body="Completed the installation of  major upgrade, preparing to install R77.30 HF2." />

  <!-- Use the CDT import and install actions -->
  <import_package path="/home/admin/R77.30_HF2.tgz" />
  <install_package path="/home/admin/R77.30_HF2.tgz" />

  <!-- Path to file that needs to be pulled -->
  <pull_file remote_path="/home/admin/file_to_pull.txt" local_dir="/home/admin/" />
 </CDT_Deployment_Plan>