PDA

View Full Version : Remote Installation of 2012 models



Carsten
2012-05-30, 07:49
Hi guys,

Until now we used only the IP series, but since you get more bang for the buck with the new 2012 series, and the IP series will go EOL pretty soon, we decided to go for the 2012 from now on.

But there is one big thing, which we absolutely dislike: It is not possible to install the 2012 via network/ftp from the bootmanager, or at least we do not know how.
So if you have a firewall at a remote site, and you have to install it, how do you do this? Find some guy who burns an ISO/DVD and plugs in a USB DVD?
And what if we want to upgrade an appliance later on? Find some guy and burning a new disk again?
We tried with a USB stick but without luck, even when it was created with the Checkpoint tool.

If no installation via network is possible, the second-best solution would be a usb stick, which appears for the firewall as a dvd drive and on which you can change the ISO file.
Then if you want to upgrade the firewall, you could download the iso file with the firewall, replace the ISO file on the USB stick, and then boot from it.

Has somebody done something like this? How do you install these appliances?

Thanks,

Carsten

Robby Cauwerts
2012-05-30, 11:00
Starting from the 4800 model you can use the LOM for upgrades (mounting a local ISO).

Carsten
2012-05-30, 13:56
You are right, I forgot about that in my post.
Unfortunately for most of our sites we do not need that much power since we only do firewalling, not IPS, AV etc.
So we wanted to go for the 4600, at least until last week, when CP raised it's price by 30%, I am still waiting for a good explanation from our account manager by the way.

So I guess in future our standard model for normal (small) sites will be the 4400.

Carsten
2012-06-05, 05:35
So many viewers and no other comments?

Come on guys, how do you do this?

bmolnar
2012-06-05, 08:53
I've done the USB stick install on some 2012 appliances and Power-1 without problems. It requires you to have a console connection up though in order to pick what partition to boot from.

Carsten
2012-06-05, 11:07
Thanks, did you use the Checkpoint tool for creating the USB stick?
Can you exchange the image at this stick with another one at a later time, e.g. for upgrading the firewall, without the need to unplug the stick?

bmolnar
2012-06-05, 16:18
Yes, I use the ISOmorphic Check Point tool to make the USB stick bootable. I have not tried leaving the USB stick in the FW and replacing the image. One problem I see with doing this is any reboots of your remote firewall will take much longer because it'll boot to the USB first and then you'll have to wait for it to time out before booting from localdisk.

netw0rker
2012-06-06, 05:06
You can mount the USB stick and modify it from the CLI.

The other drawback is that you need access to the serial port to boot from USB.

We are also struggle with that issue and have no proper solution :-(

siliconer
2012-07-02, 02:18
You can mount the USB stick and modify it from the CLI.

The other drawback is that you need access to the serial port to boot from USB.

We are also struggle with that issue and have no proper solution :-(

you can look at a console server , we deploy lots of this little boxes together with my checkpoints appliances.
IOLAN DS / TS Device Server | Serial to Ethernet | Perle (http://www.perle.com/products/IOLAN-DS-Terminal-Server.shtml)

Carsten
2012-07-02, 10:12
Are these boxes not just to get serial access?
We use Avocents for this.

But it does not help my question, how it is possible to install a remote firewall without any local help besides putting it into the rack and plugin the network cables.
With the IP series I could install via serial access and then ftp the necessary files via bootmanager, this is not possible with the 2012 models, so I need local help like putting in USB devices.

jflemingeds
2012-07-28, 16:59
You can network install an appliance. Its called pxeboot. It requires a dhcp server (to get an ip and tell it where the config file is), tftp server (which holds the config, kernel and ramdisk) and a ftp/http/nfs server (which olds the mounted iso image). Keep in mind its going to take epic bandwidth however since the images are 2 gig. If you have small wan connectivity its going to suck, but then again so will mounting a iso image via the lom.

I've set this all up for staging new firewall, the configs for everything are in the install guide (i think). The only issue is if your booting a system that doesn't have a video card you need to use console=ttyS0 instead of tty0.