Upgrade & Hotfix a Cluster With Check Point's Central Deployment Tool

Written by David Barker | November 27, 2020

The Check Point Central Deployment Tool (CDT) is a utility that builds on the subject of my last article, which was about the Check Point Remote Installation Daemon (CPRID). Currently at version 1.9, this utility allows you to upgrade remote gateways from a central repository. The tool is intelligent enough to upgrade cluster members one at a time and perform a stateful failover—all without introducing downtime into the upgrade process.

The following document details how to upgrade a Check Point HA cluster from R80.10 to R80.40 jumbo hotfix 83. However, this procedure can easily be modified to do a different version and hotfix combo based on your unique needs.

What is Check Point Software?

Compuquip Cybersecurity partners with many different security technology providers in order to provide the best solutions that meet client’s as thoroughly as possible. One of our key partners for providing software-based security solutions is Check Point Software Technologies LTD.

Check Point is a dedicated provider of cybersecurity software solutions, working to study attack trends and preemptively identify zero-day vulnerabilities and fix them before they can become major security liabilities.

Workflow of Upgrading a Check Point HA Cluster

CDT validates that the states of the Cluster Members are valid (Active and Standby).
CDT prepares Access Control Policy for the Cluster:

Changes the version in the Cluster object.
Changes the applicable configuration settings and Access Control Policy.

CDT executes the Deployment Plan on the Standby Cluster Members:

Run Pre-Script(s).
Update the CPUSE version.
Push the CPUSE package(s) to the Cluster Members.
Import the CPUSE package(s) on the Cluster Members.
Install the CPUSE package(s) on the Cluster Members.
Validate the Access Control Policy is installed on the Cluster Members.
Run Post-Script(s).

Full Connectivity Upgrade flow:

Validate the upgraded Cluster Member is in the Standby or Ready state.
Perform cluster failover to one of the upgraded Cluster Members.

CDT executes the Deployment Plan on the former Active Cluster Member.
CDT validates that the states of the Cluster Members are valid (Active and Standby).

Upgrading a Check Point HA Cluster: The Installation Process

Step #1. Download the tgz file from Check Point’s website.

Step #2. Transfer the file to your management server.

Step #3. Extract the tgz file:

[Expert@cp-mgmt:0]# tar xvfz ../CentralDeploymentTool_V.1.9.tgz

CPcdt-00-00.i386.rpm

Step #4. Install the rpm with rpm -Uvh.

[Expert@cp-mgmt:0]# rpm -Uvh CPcdt-00-00.i386.rpm

Preparing... ########################################### [100%]

:CPcdt ########################################### [100%]

Found dynamic cli directory - installing CDT clish1.

CentralDeploymentTool has been successfully installed to: /opt/CPcdt

Upgrading a Check Point HA Cluster: The Configuration Process

In this example, I have two gateways in a cluster running R80.10 that I would like to upgrade to R80.40 and then install take 83.

First, we need to edit the deployment plan.

There is a sample one in /opt/CPcdt/DepPlan.xml

I edited it to install R80.40 and Jumbo Hoftix 83:

<?xml version="1.0" encoding="UTF-8"?>

<!--

This is an example of a Check Point Central Deployment Tool Deployment Plan file.

Refer to the CDT SK for additional information about configuring and using CDT:

https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk111158

-->

<CDT_Deployment_Plan>

<!--

The plan_settings element contains the name and the description of the deployment plan

and additional configuration.

-->

<plan_settings>

<update_cpuse value="true" />

</plan_settings>

<import_package path="/home/admin/Check_Point_R80.40_Install_and_Upgrade.tgz" />

<install_package path="/home/admin/Check_Point_R80.40_Install_and_Upgrade.tgz" />

<send_email to="dbarker@compuquip.com" subject="Major upgrade completed" body="Finished installation of R80.40 major upgrade, preparing to install R80.40 HF83." />

<import_package path="/home/admin/R80_40_HF83.tgz" />

<install_package path="/home/admin/R80_40_HF83.tgz" />

</CDT_Deployment_Plan>

Next, we generate candidates for the deployment:

./CentralDeploymentTool -generate -candidates=candidates.csv -deploymentplan=DepPlan.xml

This will then generate a list of installation candidates, as shown below.

Object Name , Cluster Name , IP Address , Version/FW build , State , Upgrade Order

========================================================================================================================

cpfw-1 , cpcluster , 192.168.143.241 , R80.10/435 , active , 1

cpfw-2 , cpcluster , 192.168.143.242 , R80.10/435 , standby , 1

cpgw1 , N/A , 192.168.143.1 , R81/959 , gateway , N/A

In this example, cpgw1 is at R81 and is not applicable for installation. However, I will build a filter to not include it.

My filter file, filter.txt, has one line with the name of the cluster cpcluster in it. However, if you had multiple gateways/clusters to include, you would just add additional lines to this file with the gateway/cluster names:

[Expert@cp-mgmt:0]# cat filter.txt

cpcluster

We have to regenerate the candidate.csv now that we have a filter, so rerun the CDT with the -generate flag again this time with the filter applied.

[Expert@cp-mgmt:0]# ./CentralDeploymentTool -generate -candidates=candidates.csv -deploymentplan=DepPlan.xml -filter=filter.txt

Executing a Check Point HA Cluster Upgrade

Now that we have a filter, a deployment file, and a candidate list, we can execute the deployment. Before executing, make sure the SmartConsole is closed.

./CentralDeploymentTool -execute -candidates=candidates.csv -deploymentplan=DepPlan.xml -filter=filter.txt

While this executes, we can watch the log file to see the progress in a duplicate window.

cd /opt/CPcdt

watch -d cat CDT_status.txt

This will allow us to view the status of each operation of the CDT. Eventually, it will display something like this:

cpcluster ()

-------------------------------------------------------------------

Previous Stage: Cluster Validation - Finished Successfully [Started at: 22:11:11] [Ended at:22:11:11]

Current Stage: -

cpfw-1 (192.168.143.241) - version: R80.40 build 106, current action: -

------------------------------------------------------------

Previous Stage: Validate policy installation - Finished Successfully [Started at: 22:10:59] [Ended at:22:11:00]

Current Stage: -

cpfw-2 (192.168.143.242) - version: R80.40 build 106, current action: -

------------------------------------------------------------

Previous Stage: Validate policy installation - Finished Successfully [Started at: 21:03:51] [Ended at:21:03:52]

Current Stage: -

Last updated at: 22:11:29

During the installation, the CDT will:

Update CPUSE
Transfer and import the package
Install the package
Reboot the gateway
Compile and install the policy
Perform a Connectivity Upgrade Synchronization
Failover and increase the fwha_version to 9999 in order to prevent the active/master member from obtaining active/master state immediately after upgrade

Parting Thoughts on How to Use the Check Point Central Deployment Tool to Upgrade and Hotfix a Cluster

The CDT is not fast—in fact, in my lab, it took almost 3 hours to complete the upgrade and hotfixes. However, the fact that it is an automated process makes this something that can be repeated among many gateways without intervention.

While I went over the most common feature, which is upgrades and hotfixes, the CDT can be also be used to perform:

Installation of software packages
Various actions such as taking snapshots, running shell scripts, pushing/pulling files, etc.
Automation of the RMA backup and restore process

Did you know Compuquip is leading Check Point partner? If you’re ready to get more out of your Check Point security solutions—or need help implementing them in the first place—reach out to our team today! We look forward to helping you safeguard your business.

View full post