Check Point R81 | Central Deployment Jumbo hotfix

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to my channel my name is magnus and today we're going to upgrade the cluster so the cluster is on r8030 and we want to just upgrade the jumbo hotfix we have the newest take but in this case the management server is an r81 and r81 has a new function allowing you to upgrade from the management station itself more or less this is a function made from the checkpoint central deployment tool and if you want to check that out it's the sk11158 and this is something that it's well it's a bit complicated to use but if you have it it's great you can upgrade a lot of gateways and a lot of things at the same time and it's fixing a lot of things for you but in r81 checkpoint has ported a lot of these functionalities to the to the management stations you have a gui where you can do it in i don't know if you notice but i did change the resolution here a bit so we can more or less have more screen real estate so we can see everything that is going on same with the cph probe stat and i did a watch command so we can see what happens when it fails over and so on so here we have the the setup we have the shakepoint gui and we are in the gateways and service tab and we can see our cluster here and we can see that it's recommended to update to new jumbo hotfix we're running r81 on our management station on the other side here we have a watch command going on the cluster members so we can see when they fail over during the upgrade and we can see here that we have ongoing ping to google from the windows machine so we can see if we lose any ping or if we lose any traffic towards the internet when we're doing this upgrade because this client is going through the gateway to reach internet so hopefully this will show you if this works at all so how do you actually do this well under gateways and servers you have all your marksman station your log servers your your clusters your single gateways hopefully no single gateways but still then you can do like this if you right click on the cluster under the action tab there is an install hotfix jumbo so if you click this one and you see i did it on the cluster so what this will do if you have internet connectivity it will search for the recommended jumbo so you can have it in a repository on your management station and download this file and it can then upload it to the gateways and do the installation process so you see here we have selected the install the recommended jumbo hotfix well that's recommended from shakepoint if you want to put the specific one well then you need to specify which specific one you want to use and packet location automatic gateway or management well let's see what it says here if the package is fixed in the management server repository it's delivered to a security gateway otherwise the security gateway tries to download it from shakepoint cloud so this is important because maybe your gateways doesn't have internet access and so on it happens especially when you're running vsx then it's the vs0 that do this sort of stuff so well so this is not vsx this is a normal h a cluster using two boxes so active standby but we want to use install the recommended hotfix let's size this up a bit see if we're missing something well we see a lot of this is quite bad from checkpoint actually so let's do this full size and we see here installation and verify so let's go back so if you don't see the installation button well you're not the only one i guess but here let's do verify first and verification is always good to make and it's something that you should do because it will pick up some some things if you well are out of disk or you're not supported to do this upgrade hopefully we're supported this is actually the first time i tried so this is new for me as well i have seen it in a presentation but it's always fun to test it yourself and that's why we're having this lab so we can test stuff out before we do it in the production so the package is validate is valid for install let's see if we press details here now we didn't get anything ah here installation is allowed when it comes to jumbo hot fixes or well jumbos or or hfas they are installed they are not upgraded so installation here is fine so that's perfect let's see if we can go back to the same one so right click on the cluster action install hotfix jumbo you see it goes a lot faster here because it's already downloaded and you can see here that it's the size of 695 megabytes and you can see the description and so on and this is take 219. so let's do like this let's press install and see what happens so maybe we should press details here and see what actually happens i don't know if you get anything specifically but let's see so apparently the downloading the packages i'm guessing it's downloading from the management server but maybe it's the cloud i'm not sure and we actually lost the ping here that's uh i think this is a vmware bug so to say i don't know if i'm running very high cpu or let's see how much cpu am i actually using well i'm using a lot so everything of this is in the same uh virtual machine so the gateway is the management service everything is in the same and you see here it hasn't done any failover so i just think this is uh the gateway is not prioritizing the ping let's hope so at least it shouldn't have made anything here so let's wait should we wait with this i mean if it doesn't work correctly it's a bit pointless to have the ping going on i think i will cancel this one let's just check the active standby so hopefully we will see that it's doing it in order i'm expecting it to do the standby first let's see so it's starting with the gateway 2 to extracting the bundle so it's not doing the both of the members at the same time so that's uh that's a positive note and it's also starting with the member 2 and the member 2 is currently in standby and now it's down and you see here it's active still on on this one so more or less it has done a cp stop i don't know if we can see something if we do like i don't know tail can we see something here i don't know if we can see something it's still responding at least so we are in currently we are in active lost so it doesn't see its partner and do we see it here we see ethernet ethernet is down meaning we haven't received any cluster control traffic so that's is to be expected i don't know if we see anything in top yeah we see gcip so that means that it's um unpacking something uh for the installation probably i don't know if we can log in to to the gateway so let's see if we do one 192 and we're going to to the gaia portal do we see anything here is it starting cpus maybe do we crash something so it's not listed here no this is gateway 1 sorry so here we see that it's downloaded do we see that it has made a snapshot no take gateway 2 let's see if we can see it in the in the gear itself so this is the one that it's currently installing on so let's see if we see the same yeah we see the same here nice i would actually like checkpoint to include uh this part which part it's actually doing because i mean it doesn't show anything more so i mean this shows [Music] this is showing more because it's it's uh showing which part of the gateways is being installed uh so you see here it's patching 10 percent so this part is showing a bit more than this tool does it matter maybe not but it's nice to see that it's actually using cpus so i'm guessing it's sending api calls i'm not sure is this something that you would use in your own environment maybe give it a few hot fixes before doing it in full production but i mean in a lab in a stage environment maybe in a non-business critical environment i think this should be perfect and after a few jumbo hot picks maybe shake point will install everything by themselves so we are out of a job well i actually don't see it like this because there will always be guys needing to be planning to be making documentation to do the designs etc etc so that checkpoint is making the installation easier or patching easier it's just a bonus because then we can focus on the real stuff i mean this is quite boring to just sit and wait for for patching to happen and the more automation you can make here the better for you and then you can focus on what you think is fun so we see here that it's going uh performing back ups i don't know you can see it here but it's it's uh doing a lot of things it's soon done so i'm expecting it to to reboot quite soon actually so it's 83 done and when this is done i'm expecting it to fail over the traffic and we are still on the active member so it hasn't done any failover and so on so you shouldn't have dropped any traffic it shouldn't have happened anything it's just a standby member that is uh doing some work so in process is quite good uh last update time we see then when it started so so far 10 minutes so let's see how long this process actually takes so i'm guessing it's very soon done fixes some mobile access replacing files out update there yeah this is going to be installed going to be rebooted very soon yeah now so let's see what happens this is the interesting part i don't know should we try this one i wouldn't trust this hundred percent as i said this is a virtual environment where i'm running everything on the same place and i also record it and it's more or less in 4k i record it so let's see so we're not losing anything and it says rebooting here waiting for the other members that's great so we haven't seen any failover yet we are expecting to see a failover when this is up and running and it has synced the traffic so let's see what happens i guess that just came up because we see the going to reboot our initialize let's see what happens more waiting for other members it's now standby i'm expecting to see the failover more or less now more or less it should start with the gateway one maybe there is some timer to yeah here active down and we see the failover and we didn't see any production traffic loss with ping i mean it's not the most scientific program but it's still something so if we look into this one this is now the active one so if we do expert we do watch cph probe start and we see that the local machine is the active one it's down so we can just check this as well validating installation on gateway one uh this is interesting and actually quite good you see the reason for state change admin down so it's doing a real admin down and download we shouldn't drop anything that's perfect so if we do like um cp in for why all we also see that it's take 219 now i don't know why they still have secure platform this has never been secure platform on this one but we see that the the jumbo hotfix is 219 so it's it's it's doing what it's supposed to do uh so the failover was caused by uh admin down perfect that's just how you should do it i wouldn't expect anything else from from checkpoint when they're doing a tool like this i'm quite impressed of this actually it's going really well and it's doing exactly what i'm expecting it to do and i like that you can actually see it in the web ui i think the checkpoint should work a bit on here to to add some more information on on what it's actually doing [Music] so far so good let me just check did it do any like uh backups so let's go back to number i think this is case for number two the current active one so if we go in and check under snapshots did it make in a snapshot to be able to roll back or do you still need to do that yourself so snapshot management [Music] no we don't have any backups apparently checkpoint is very confident in uh succeeding with this i need to read up if this is supposed to do a backup maybe it's only do a backup when you're doing a major upgrade and we're actually going to test that in the next video as well so we're going to upgrade to r8040 on this cluster just to see how this works and we're also going to upgrade to r81 when times come so it has 15 of 24 steps but what are those 24 steps i would like checkpoint to to specify these 24 steps so you can actually see which steps it's going through like in an order not just when they come so now it's installing on the active member or like the old active member so the member one is now going to rebuild and um then what i'm guessing when it comes back up it will go to standby i'm not sure if it will fail over again um i actually don't expect it to do if you don't have that settings normally i have maintain active member because i don't want failovers when something returns i just want one failover when you're doing an upgrade and that means that not gateway one will not always be the active member all the time maybe you want to have gateway one as active member all the time because you have majority of your workloads in the data center number one where it's closer physical your location and so on if you have like your cluster split on two different data centers and i also wonder if we get some i don't know some nice upgrade report when we finished i'm not sure let's see that's something that um it would be nice to see if shake point added like um self test and so on and you get the nice report that you can send to your managements more or less fixing more of my work so i don't need to do it myself maybe it exists i'm not sure i haven't seen this before so this is something new for me as well so the gateway number one is coming back it's init mode currently and now it's ah it actually did the failover let's check what our settings is because you see here it's uh active standby so gateway number one is back to um to active and let's see what type of settings we actually have on this cluster i don't remember just to show you see here active and standby and here what did it say member state has been changed due to higher priority on local member customer okay making sure that member is recovered okay nice cleaning up successful nice is this it i think so yeah so do we have anything more if we press here details successful okay let's see here if we go into gateways and clusters and we check what settings we actually have so cluster members this is the prior one that's correct um where do you actually see that here yeah so checkpoint did do correct because we have switched to higher priority cluster member so i'm i'm just guessing or assuming if we would have maintained current active cluster member it would not have done a failover so this is something that you need to decide yourself if you want double failovers or if you only want one uh and um the nice cp uh cp stats so to say it's showing this um events and it's uh putting it in plain text so everyone can understand so that's wonderful so that's it for this video we have done an upgrade with um the recommended jumbo hotfixes to the new 2disk cluster and as far as i can see it worked flawlessly so we have zero loss and i did start this ping um like after all the downloads and so on was made because i think that my virtual machine couldn't really handle it to download that much file same as it doing everything else so thank you for watching i hope you did like this video please consider to subscribe to the channel if you haven't already done it and i hope to see in the next one take care bye

Info

Channel: Magnus Holmberg

Views: 2,313

Rating: undefined out of 5

Keywords: ccsa, ccse, checkpoint, check point, cyber security, network, secuirty, firewall, checkpoint training, r80, r80.40, checkpoint firewall, checkpoint firewall training videos, #compliance, r81

Id: _wBaEVH-hSc

Channel Id: undefined

Length: 23min 26sec (1406 seconds)

Published: Sat Nov 07 2020