Automatic Hotfix Deployment

Automatic HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Deployment for CloudGuard autoscaling solutions automatically deploys a preconfigured CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. Hotfix or Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. (JHF) when an instance scales out.

This feature allows you to do all the necessary configuration on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. You do not have to access each Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. instance manually.

Prerequisites:

  • CME is installed on the Security Management Server or Multi-Domain Security Management Server.

  • Autoprovision is enabled and configured for the autoscaling solution for which Automatic Hotfix Deployment is required.

  • CDT (Central Deployment Tool), version 1.7 or higher installed on the Security Management Server or Multi-Domain Security Management Server.

  • CPUSE is updated to the latest version on the Security Management Server or Multi-Domain Security Management Server.

  • The CPUSE package to be installed on new scaled out instances is available on the Security Management Server or Multi-Domain Security Management Server.

Configuring the Automatic Hotfix Deployment

  1. Download CDT v1.7 or higher from sk111158.

  2. Install the Central Deployment Tool.

To update the CPUSE agent, you can either perform a self-update (which is the simplest method), or manually upgrade, see sk92449 - section 3-A "Download the latest build of the CPUSE Agent".

Step

Description

1

Configure the template.

2

Connect to the command line on the Security Management Server.

3

Transfer the downloaded Hotfix or Jumbo Hotfix Accumulator package to a directory in the Security Management Server.

This Hotfix package is configured to be deployed automatically on scaled-out instances.

4

Log in to the Expert mode..

5

Launch the CME menu:

cme_menu

6

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic Hotfix Deployment.

7

Enable the Automatic Hotfix Deployment feature:

  1. Select Enable and Configure Automatic Hotfix Deployment.

  2. Enter the requested parameters (see the parameter table below for details).

8

Repeat Step 6, as needed, for each template.

9

Confirm the configuration, and then restart the CME service, run:

CME service has to be restarted to apply configurations. Restart now?
1 - Yes

Note - To restart the service manually, run:

service cme restart

Note - The Jumbo Hotfix Accumulator is installed only after the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. installation.

Parameter

Description

Possible Values

configuration-template-name

Name of the configuration template with the relevant autoscaling solution.

Note - If CME was not configured as described, then this feature cannot be enabled.

Template number as displayed on-screen

package-path

The package's absolute path to be deployed on the scale-out instances. The package must be located on the Security Management Server.

"/home/admin/Check_Point_R80_10_JUMBO_HF_Bundle_T169_FULL.tgz"

is-mandatory

In case of package deployment failure, whether the deployment is a mandatory condition, in order to allow the scale-out instance to continue the setup configuration.

Note - If the package deployment fails and you select "Yes", then the instance tries to deploy the package again. This may cause the other instances to not start the CME.

1 - Yes

2 - No

package-source

Package delivery method to the scale set instance.

  • Local - The Security Management Server sends the package to the scaled-out instances.

  • Cloud - The scale set instance downloads the package from the Check Point Cloud.

Note - A package with the same filename must be available in the Check Point Cloud.

1 - Cloud

2 - Local

Disabling Automatic Hotfix Deployment

You can disable Automatic Hotfix Deployment for scale out instances you plan to connect in the future.

Step

Description

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Launch the CME menu:

cme_menu

4

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic Hotfix Deployment.

5

Select Disable Automatic Hotfix Deployment

6

Select the template on which you want to disable the feature.

7

Confirm the operation:

CME service has to be restarted to apply configurations. Restart now?
1 - Yes

Note - To restart the service manually, run:

service cme restart

Viewing Configuration Parameters

Step

Description

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Launch the CME menu:

cme_menu

4

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic Hotfix Deployment.

5

Select Display Hotfix Deployment status.

6

Select the template to be used to show the configuration parameters.

Viewing Package Deployment Status

Step

Description

1

Connect to the command line on the Security Management Server.

2

Log in to the Expert mode.

3

Launch the CME menu:

cme_menu

4

  1. Select the cloud platform where the relevant autoscaling solution is deployed in the CME menu main page.

  2. Select Automatic Hotfix Deployment.

5

Select Display Automatic Hotfix Deployment Configurations.

6

Select the template to be used to show the configuration parameters.

Parameter

Description

Possible Values

Instance Name

The name of instance

Azure-Production--exampleVMSS_11--EXAMPLE-VMSS

IP Address

The IP address of the specific instance

"192.168.0.4"

Status

The Hotfix package installation status for the specific instance:

  • Installed - The package successfully installed.

  • Not Installed - The package was not installed.

  • Not Applicable - The package is not compatible with the instance.

  • Error - There was an error retrieving the status of the instance.

Installed

Not Installed

Not Applicable

Error

Limitations

  • The package is only installed on new instances.

    To install the package on all existing instances, do these steps:

    1. Remove instances that do not contain the package.

    2. Scale out new instances.

    3. Wait for the provisioning to finish.

  • Supported cloud platforms: Azure, AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., GCPClosed Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more..

  • Central Deployment Tool:

    • Because Automatic Hotfix Deployment relies on CDT, see CDT Limitations in sk111158.

    • CDT version 1.9 is not compatible with Automatic Hotfix Deployment in CME.

    • When another CDT operation is in progress, you cannot use the Display Hotfix deployment status option.

      If you do, it shows an error message.

      The solution is to wait until the CDT operation is finished, and then try the Display Hotfix deployment status again.

  • When scaling out several instances, the package is not installed in parallel.

  • Enabling Automatic Hotfix Deployment significantly increase the time until a scaled-out instance finishes provisioning.

    This is due to the time it takes for a Hotfix or Jumbo Hotfix Accumulator to be installed.

  • Only Hotfixes and Jumbo Hotfix Accumulators are supported.

    Minor and Major upgrades are not supported.

  • Automatic Hotfix Deployment does not support name-prefix.

  • The Jumbo Hotfix Accumulator is installed only after the Security Policy installation.