Automatic Hotfix Deployment

Automatic Hotfix Deployment for CloudGuard autoscaling solutions automatically deploys a preconfigured CPUSE Hotfix or Jumbo Hotfix Accumulator (JHF) when an instance scales out.

This feature allows you to do all the necessary configuration on the Management or Multi-Domain Management Server. You do not have to access each Security Gateway instance manually.

Prerequisites:

  • CME is installed on the Management or Multi-Domain Management Server.

  • Autoprovision is enabled and configured for the autoscaling solution for which Automatic Hotfix Deployment is required.

  • CDT (Central Deployment Tool), version 1.7 or higher installed on the Security Management or Multi-Domain Security Management Server.

  • CPUSE is updated to the latest version on the Management or Multi-Domain Management Server.

  • The CPUSE package to be installed on new scaled out instances is available on the Management or Multi-Domain Management Server.

Configuring the Automatic Hotfix Deployment

  1. Download CDT v1.7 or higher from sk111158.

  2. Install the Central Deployment Tool.

To update the CPUSE agent, you can either perform a self-update (which is the simplest method), or manually upgrade, see sk92449 - section 3-A "Download the latest build of the CPUSE Agent".

Step

Description

1

Configure the template.

2

Connect to the command line on the Security Management Server.

3

Transfer the downloaded Hotfix or Jumbo Hotfix Accumulator package to a directory in the Security Management Server.

This Hotfix package is configured to be deployed automatically on scaled-out instances.

4

Log in to the Expert mode..

5

Launch the CME menu:

cme_menu

6

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic HotfixDeployment.

7

Enable the Automatic HotfixDeployment feature:

  1. Select Enable and Configure Automatic HotfixDeployment.

  2. Enter the requested parameters (see the parameter table below for details).

8

Repeat Step 6, as needed, for each template.

9

Confirm the configuration, and then restart the CME service, run:

CME service has to be restarted to apply configurations. Restart now?
1 - Yes

Note - To restart the service manually, run:

service cme restart

Parameter

Description

Possible Values

configuration-template-name

Name of the configuration template with the relevant autoscaling solution.

Note - If CME was not configured as described, then this feature cannot be enabled.

Template number as displayed on-screen

package-path

The package's absolute path to be deployed on the scale-out instances. The package must be located on the Management Server.

"/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T169_FULL.tgz"

is-mandatory

In case of package deployment failure, whether the deployment is a mandatory condition, in order to allow the scale-out instance to continue the setup configuration.

Note - If the package deployment fails and you select "Yes", then the instance tries to deploy the package again. This may cause the other instances to not start the CME.

1 - Yes

2 - No

package-source

Package delivery method to the scale set instance.

  • Local - The Management Server sends the package to the scaled-out instances.

  • Cloud - The scale set instance downloads the package from the Check Point Cloud.

Note - A package with the same filename must be available in the Check Point Cloud.

1 - Cloud

2 - Local

Disabling Automatic Hotfix Deployment

You can disable Automatic Hotfix Deployment for scale out instances you plan to connect in the future.

Step

Description

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Launch the CME menu:

cme_menu

4

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic HotfixDeployment.

5

Select Disable Automatic HotfixDeployment

6

Select the template on which you want to disable the feature.

7

Confirm the operation:

CME service has to be restarted to apply configurations. Restart now?
1 - Yes

Note - To restart the service manually, run:

service cme restart

Viewing Configuration Parameters

Step

Description

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Launch the CME menu:

cme_menu

4

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic HotfixDeployment.

5

Select Display HotfixDeployment status.

6

Select the template to be used to show the configuration parameters.

Viewing Package Deployment Status

Step

Description

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Launch the CME menu:

cme_menu

4

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic HotfixDeployment.

5

Select Display Automatic HotfixDeployment Configurations.

6

Select the template to be used to show the configuration parameters.

Parameter

Description

Possible Values

Instance Name

The name of instance

Azure-Production--exampleVMSS_11--EXAMPLE-VMSS

IP Address

The IP address of the specific instance

"192.168.0.4"

Status

The Hotfix package installation status for the specific instance:

  • Installed - The package successfully installed.

  • Not Installed - The package was not installed.

  • Not Applicable - The package is not compatible with the instance.

  • Error - There was an error retrieving the status of the instance.

Installed

Not Installed

Not Applicable

Error

Limitations

  • The package is only installed on new instances.

    To install the package on all existing instances, do these steps:

    1. Remove instances that do not contain the package.

    2. Scale out new instances.

    3. Wait for the provisioning to finish.

  • Supported cloud platforms: Azure, AWS, GCP.

  • Central Deployment Tool:

    • Because Automatic Hotfix Deployment relies on CDT, see CDT Limitations in sk111158.

    • CDT version 1.9 is not compatible with Auto-HF in CME.

    • When another CDT operation is in progress, you cannot use the Display Hotfix deployment status option.

      If you do, it shows an error message.

      The solution is to wait until the CDT operation is finished, and then try the Display Hotfix deployment status again.

  • When scaling out several instances, the package is not installed in parallel.

  • Enabling Automatic Hotfix Deployment significantly increase the time until a scaled-out instance finishes provisioning.

    This is due to the time it takes for a Hotfix or Jumbo Hotfix Accumulator to be installed.

  • Only Hotfixes and Jumbo Hotfixes are supported.

    Minor and Major upgrades are not supported.

  • Automatic HF deployment does not support name-prefix.