Basic Mode

CDT Basic Mode lets you:

  • Install one Hotfix or upgrade, and run user Pre-Installation scripts and/or user Post-Installation scripts.

  • Run the CDT in the preparations and extended preparations modes.

Workflow

Step

Description

1

Connect to the command line on your Management Server you use for package distribution.

2

Log in to the Expert mode.

3

Make sure there is no active GUI client that locks the management database, such as SmartDashboard or SmartConsole.

4

Install the CDT RPM package (if it is not already installed on your system) from sk111158.

5

Edit the CentralDeploymentTool.xml file to change the settings (see Elements of the CDT Primary Configuration File):

  • Add the PackageToInstall element: You must specify the absolute path (with the file name) to the CPUSE Offline package you wish to deploy.

    For cluster upgrades, you can add an optional attribute in order to prevent Connectivity Upgrade.

  • Configure the <CPUSE> element to specify the absolute path to the CPUSE RPM package.

  • Optional: Add the PreInstallationScript and PostInstallationScript elements to run the Pre-Installation and Post-Installation user scripts.

6

Generate the Installation Candidates List (see below) to get a full list of the Security Gateways and Cluster Members connected to your Management Server.

Note - You can edit the Candidates List file to make sure the specified Security Gateways are not included (see The Candidates List).

7

Optional: Run preparations or extended preparations before the installation itself, to save deployment time during maintenance windows. The CDT runs all the defined Pre-Installation scripts.

8

Install the selected package and run all Pre-Installation and Post-Installation scripts.

Note: If you use preparations, or extended preparations method, the CDT does not run the Pre-Installation scripts again.

Generating an Installation Candidates List

To generate an Installation Candidates List (see The Candidates List), run:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool –generate <Name of Candidates List file>.csv

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -generate <Name of Candidates List file>.csv <IP Address or Name of Domain Management Server>

Preparations (Pre-Installations)

If you have a tight maintenance window, use the preparations mode to save deployment time and prepare in advance.

In this scenario, the CDT does these actions:

  1. Sends the installation package to the Security Gateways (to the /var/log/upload/ directory).

  2. Sends the CPUSE Agent package to the Security Gateways (to the /var/log/upload/ directory).

  3. Runs the user Pre-Installation scripts.

  4. Does not update the CPUSE Agent package.

  5. Does not start the actual package installation.

To use simple preparations on all marked candidates in the Candidates List file (see The Candidates List), run:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -preparations <Name of Candidates List file>.csv

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -preparations <Name of Candidates List file>.csv <IP Address or Name of Domain Management Server>

Extended Preparations (Extended Pre-Installations)

You can extend the preparations flow. In this scenario, the CDT does these actions:

  1. Sends the installation package to the Security Gateways (to the /var/log/upload/ directory).

  2. Sends the CPUSE Agent package to the Security Gateways (to the /var/log/upload/ directory).

  3. Runs the user Pre-Installation scripts on the Security Gateways.

  4. Updates the CPUSE Agent on the Security Gateways.

    Note - Update of the CPUSE Agent might cause short connectivity loss in some rare cases.

  5. Imports and verifies the installation package with CPUSE.

  6. Does not start the actual package installation.

To use extended preparations on all marked candidates in the Candidates List file (see The Candidates List), run:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -extended_preparations <Name of Candidates List file>.csv

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -extended_preparations <Name of Candidates List file>.csv <IP Address or Name of Domain Management Server>

Installation

  1. To start a full installation on all marked candidates in the Candidates List file (see The Candidates List), run:

    Management Server

    Instructions

    Security Management Server

    # ./CentralDeploymentTool -install <Name of Candidates List file>.csv

    Multi-Domain Server

    # mdsenv <IP Address or Name of Domain Management Server>

    # ./CentralDeploymentTool -install <Name of Candidates List file>.csv <IP Address or Name of Domain Management Server>

  2. The installation starts.

    The CDT shows the installation progress on the screen.

    CDT writes the progress details at 5 seconds intervals to these files in the directory of the CentralDeploymentTool binary file:

    File

    Description

    CDT_status.txt

    Full description of the last completed stage and current stage of all Security Gateways and Cluster Members statuses.

    CDT_status_brief.txt

    Brief description (current stage only) of all Security Gateways and Cluster Members statuses currently in execution. Useful if your screen area is limited.

    We recommend to run the watch command to read the file continuously.

    Example:
    # watch -d cat CDT_status.txt

  3. All failures in the installation cause an error.

    • If this error is blocking, the Security Gateway or Cluster upgrade does not continue. The CDT sends an error report to the configured email address.

      Note - The error is blocking, if the package fails to install, or if you defined an installation script as blocking with the parameter "IsBlocking" (see Elements of the CDT Primary Configuration File).

    • If this error is not blocking, the installation continues, and the CDT logs and status file show a successful installation.

Retry Operation

If the installation failed on some of the Security Gateways, but continues on the remaining Security Gateways:

  1. Manually resolve the issue on the failed Security Gateways.

  2. Run one more instance of the CDT in Retry Mode for the failed Security Gateways.

CDT tries to continue execution on failed Security Gateways and Cluster Members, starting from the last failed stage. Retry is only possible when the CDT runs.

  1. Open a new SSH connection to the Management Server.

  2. Log in to the Expert mode.

  3. Run:

    Management Server

    Instructions

    Security Management Server

    # ./CentralDeploymentTool -retry

    Multi-Domain Server

    # mdsenv <IP Address or Name of Domain Management Server>

    # ./CentralDeploymentTool -retry <IP Address or Name of Domain Management Server>

  4. CDT detects that a different instance of the CDT runs and notifies that CDT instance to retry the same operation on all the failed Security Gateways.

 

 
21 November 2019
© 2019 Check Point Software Technologies Ltd.

Central Deployment Tool (CDT) v1.7 Administration Guide