Automatic Hotfix Deployment

Automatic Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Deployment for CloudGuard autoscaling solutions automatically deploys a preconfigured CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. Hotfix or Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. (JHF) when an instance scales out.

This feature allows you to do all the necessary configuration on the Management or Multi-Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. You do not have to access each Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. instance manually.

Prerequisites:

CME is installed on the Management or Multi-Domain Management Server.
Autoprovision is enabled and configured for the autoscaling solution for which Automatic Hotfix Deployment is required.
CDT (Central Deployment Tool), version 1.7 or higher installed on the Security Management or Multi-Domain Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
CPUSE is updated to the latest version on the Management or Multi-Domain Management Server.
The CPUSE package to be installed on new scaled out instances is available on the Management or Multi-Domain Management Server.

Configuring the Automatic Hotfix Deployment

Step 3 - Enabling and Configuring Automatic Hotfix Deployment

Step

Description

Configure the template.

Connect to the command line on the Security Management Server.

Transfer the downloaded Hotfix or Jumbo Hotfix Accumulator package to a directory in the Security Management Server.

This Hotfix package is configured to be deployed automatically on scaled-out instances.

Launch the CME menu:

cme_menu

Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.
Select Automatic HotfixDeployment.

Enable the Automatic HotfixDeployment feature:

Select Enable and Configure Automatic HotfixDeployment.
Enter the requested parameters (see the parameter table below for details).

Repeat Step 6, as needed, for each template.

Confirm the configuration, and then restart the CME service, run:

CME service has to be restarted to apply configurations. Restart now? 1 - Yes

Note - To restart the service manually, run:

service cme restart

Parameters

Parameter

Description

Possible Values

configuration-template-name

Name of the configuration template with the relevant autoscaling solution.

Note - If CME was not configured as described, then this feature cannot be enabled.

Template number as displayed on-screen

package-path

The package's absolute path to be deployed on the scale-out instances. The package must be located on the Management Server.

"/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T169_FULL.tgz"

is-mandatory

In case of package deployment failure, whether the deployment is a mandatory condition, in order to allow the scale-out instance to continue the setup configuration.

Note - If the package deployment fails and you select "Yes", then the instance tries to deploy the package again. This may cause the other instances to not start the CME.

1 - Yes

2 - No

package-source

Package delivery method to the scale set instance.

Local - The Management Server sends the package to the scaled-out instances.
Cloud - The scale set instance downloads the package from the Check Point Cloud.

Note - A package with the same filename must be available in the Check Point Cloud.

1 - Cloud

2 - Local

Disabling Automatic Hotfix Deployment

You can disable Automatic Hotfix Deployment for scale out instances you plan to connect in the future.

Procedure

Step

Description

Connect to the command line on the Security Management Server.

Launch the CME menu:

cme_menu

Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.
Select Automatic HotfixDeployment.

Select Disable Automatic HotfixDeployment

Select the template on which you want to disable the feature.

Confirm the operation:

CME service has to be restarted to apply configurations. Restart now? 1 - Yes

Note - To restart the service manually, run:

service cme restart

Viewing Configuration Parameters

Procedure

Step

Description

Connect to the command line on the Security Management Server.

Launch the CME menu:

cme_menu

Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.
Select Automatic HotfixDeployment.

Select Display HotfixDeployment status.

Select the template to be used to show the configuration parameters.

Viewing Package Deployment Status

Procedure

Step

Description

Connect to the command line on the Security Management Server.

Launch the CME menu:

cme_menu

Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.
Select Automatic HotfixDeployment.

Select Display Automatic HotfixDeployment Configurations.

Select the template to be used to show the configuration parameters.

Output Parameters

Parameter	Description	Possible Values
`Instance Name`	The name of instance	`Azure-Production--exampleVMSS_11--EXAMPLE-VMSS`
`IP Address`	The IP address of the specific instance	`"192.168.0.4"`
`Status`	The Hotfix package installation status for the specific instance: Installed - The package successfully installed. Not Installed - The package was not installed. Not Applicable - The package is not compatible with the instance. Error - There was an error retrieving the status of the instance.	`Installed` `Not Installed` `Not Applicable` `Error`

Parameter

Description

Possible Values

Instance Name

The name of instance

Azure-Production--exampleVMSS_11--EXAMPLE-VMSS

IP Address

The IP address of the specific instance

"192.168.0.4"

Status

The Hotfix package installation status for the specific instance:

Installed - The package successfully installed.
Not Installed - The package was not installed.
Not Applicable - The package is not compatible with the instance.
Error - There was an error retrieving the status of the instance.

Installed

Not Installed

Not Applicable

Error

Limitations

The package is only installed on new instances.

To install the package on all existing instances, do these steps:
1. Remove instances that do not contain the package.
2. Scale out new instances.
3. Wait for the provisioning to finish.
Supported cloud platforms: Azure, AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., GCP Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more..
Central Deployment Tool:
- Because Automatic Hotfix Deployment relies on CDT, see CDT Limitations in sk111158.
- CDT version 1.9 is not compatible with Auto-HF in CME.
- When another CDT operation is in progress, you cannot use the Display Hotfix deployment status option.
  
  If you do, it shows an error message.
  
  The solution is to wait until the CDT operation is finished, and then try the Display Hotfix deployment status again.
When scaling out several instances, the package is not installed in parallel.
Enabling Automatic Hotfix Deployment significantly increase the time until a scaled-out instance finishes provisioning.

This is due to the time it takes for a Hotfix or Jumbo Hotfix Accumulator to be installed.
Only Hotfixes and Jumbo Hotfixes are supported.

Minor and Major upgrades are not supported.
Automatic HF deployment does not support name-prefix.