Blink - Full gateway installation in 5 minutes

[PhoneBoy]

As I mentioned in another thread, Check Point has been working on new methods to (re)image appliances.
One of these methods is now available: Blink.

Using Blink you’ll be able to deploy Blink images on Check Point gateway appliances in no more than 5 minutes!
Blink images are available for currently supported versions, with or without the latest Jumbo HF.
Blinking an image which includes a Jumbo HF does not require any extra installation time!

If you are using ISOMorphic, you might consider using Blink for your gateway installations.

Download the tool from here: https://supportcenter.checkpoint.com...ionid=sk120193

[EricAnderson]

Very cool! Looking forward to playing...

-E

[slowfood27]

In the meantime i used the blink mechanism twice with the same kit:
blink.tgz MD5 44439258b2692912fecff1be4a74a15b
blink_image_1.0_Check_Point_R77.30_GA_SHA2_T3_Jumb o_T292.tgz MD5 c85f0315e51404d78ff1f199fe22d95b
blink_updates_R77.30.tgz MD5 df8e82951f6958aab9b3d92896905bd7

First installation was done on 2 12400 appliances, process run smoothly and perfectly
Second installation was done on a 5200 appliance, with the result that after booting the newly created environment, the interface naming was weired. I got

Mgmt
eth1-01
eth2_rename
eth3_rename
eth4_rename
eth5-01

The "standard" interface naming for a 5200 is:

Mgmt
eth1
eth2
eth3
eth4
eth5

I reset the appliance to "factory default R77.30" and repeated the blink installation process with the same weired result.

Any hints are welcome

[GregoryE]

Thank you for your comments, its awesome that you have started playing with blink.

In the case of 5200 appliance there is a different blink image that need to be used.

From the blink sk120193 under the download section -
R77.30 GA
(Based on Check_Point_R77.30_3000_5000_15000_23000_Sandblast _Appliances.iso)

File name - blink_image_1.0_Check_Point_R77.30_P8_T10.tgz

R77.30 GA with R77.30 Jumbo Hotfix Take 292
(Based on Check_Point_R77.30_3000_5000_15000_23000_Sandblast _Appliances.iso)

File name - blink_image_1.0_Check_Point_R77.30_P8_T10_Jumbo_T2 92.tgz

We (Team that develops Blink) are working on adding compatibility check in order to block execution of incompatible image/appliance.

We would appreciate any feedback/suggestion that you might have

[slowfood27]

Thank you for your comments, its awesome that you have started playing with blink.

In the case of 5200 appliance there is a different blink image that need to be used.

From the blink sk120193 under the download section -
R77.30 GA
(Based on Check_Point_R77.30_3000_5000_15000_23000_Sandblast _Appliances.iso)

File name - blink_image_1.0_Check_Point_R77.30_P8_T10.tgz

R77.30 GA with R77.30 Jumbo Hotfix Take 292
(Based on Check_Point_R77.30_3000_5000_15000_23000_Sandblast _Appliances.iso)

File name - blink_image_1.0_Check_Point_R77.30_P8_T10_Jumbo_T2 92.tgz

We (Team that develops Blink) are working on adding compatibility check in order to block execution of incompatible image/appliance.

We would appreciate any feedback/suggestion that you might have

First suggestion would be: Provide a version in combination with the ISOmorphic tool. The actual usage of blink requires to copy the blink images and the blink utility (plus an optional answers.xml) files to the target system using scp. This means, that the target system needs to have at least some initial, not yet configured (in terms of CP Software) Gaia OS running.
The possibility of using the blink process based on a USB-stick would improve the usability widely.

[PhoneBoy]

First suggestion would be: Provide a version in combination with the ISOmorphic tool. The actual usage of blink requires to copy the blink images and the blink utility (plus an optional answers.xml) files to the target system using scp. This means, that the target system needs to have at least some initial, not yet configured (in terms of CP Software) Gaia OS running.
The possibility of using the blink process based on a USB-stick would improve the usability widely.

The Gaia OS can be configured, but the idea of Blink is blow away/restart.
I do agree pairing this with isomorphic or similar would be a good thing.

[hbiris]

Hi,

I will be trying this on a VSX Cluster to upgrade from R77.20 to R77.30, however, there is a limitation (DP-1644 Reimage: Blink reimage is blocked from running on VSX machines) that reimage cannot be executed on VSX gateways. My question is, if I run "set vsx off," or disable VSX using cpconfig, would this allow me to run "./blink --reimage --delete-old-partition" to reinstall the gateway and then perform a vsx_util reconfigure to push the R77.30 configs on the gateway?

[GregoryE]

Hi,

I will be trying this on a VSX Cluster to upgrade from R77.20 to R77.30, however, there is a limitation (DP-1644 Reimage: Blink reimage is blocked from running on VSX machines) that reimage cannot be executed on VSX gateways. My question is, if I run "set vsx off," or disable VSX using cpconfig, would this allow me to run "./blink --reimage --delete-old-partition" to reinstall the gateway and then perform a vsx_util reconfigure to push the R77.30 configs on the gateway?

No, Blink will still identify the machine as a VSX.
What you can do is to use the factory reset and then run blink.

I would suggest against using the blink on VSX machine (even with disabled VSX setting) as it currently not supported, and wasn't fully tested.

[slowfood27]

And it's really fast ...

Sicne the WebGUI CPUSE-based installation of the HFA 302 failed on a member of a productive cluster (could not uninstall HFA 216), we decided to re-install that gateway from scratch using the blink mechanism.

We wrote a short screenplay which defined the following steps:

1. Save the configuration file of the gateway
2. Create a snapshot on the gateway for possible rollback
3. Copy the blink utility and blink image to the gateway to /var/log/blink and extract the blink utility
4. Prepare the answers.xml file for automated first time wizard execution
5. Detach the License from the gateway in the SmartUpdate GUI
6. Do a cpstop on the gateway
7. Run the blink utility (./blink -a /var/log/blink/answers.xml --reimage --delete-old-partition)
8. Do a SIC-Reset with the gateway in the SmartDashboard
9. Attach the License to the gatewy again
10. Copy the saved configuration file to the gateway and load it
11. Install the Security Policy

Steps 1 through 4 were done in advance during office hours in order to minimize the downtime of a the gateway.
The config file might need some modifications previous to the restore, depending on your environment
Below you see the log from the blink Utility. And you will notice, that from the start of the blink utility until the first reboot it takes 3 minutes and 35 seconds. That's amazing fast on a 5200 appliance

Thu May 24 20:57:26 2018 *A* [Main]: Blink image execution started
Thu May 24 20:57:26 2018 *A* [Main]: Blink Utility version: 1.0
Thu May 24 20:57:26 2018 *N* [Main]: Extracting image content to: /var/log/blink/launcher/files/
Thu May 24 20:58:10 2018 *N* [Main]: Verifying main engine integrity
Thu May 24 20:58:10 2018 *A* [Main]: Verified OK
Thu May 24 20:58:10 2018 *N* [Main]: Loading engine configurations
Thu May 24 20:58:10 2018 *A* [Main]: Image Version: R77.30
Thu May 24 20:58:10 2018 *A* [Main]: Blink Engine Version: 1.0
Thu May 24 20:58:10 2018 *N* [Main]: Executing the main engine
Thu May 24 20:58:10 2018 *A* [Main]: Starting Blink engine process
Thu May 24 20:58:10 2018 *N* [Main]: Preparing required installation files
Thu May 24 20:58:10 2018 *N* [Main]: Verifying the integrity of the image files
Thu May 24 20:58:32 2018 *A* [Main]: Verification succeeded
Thu May 24 20:58:33 2018 *N* [Main]: Executing stage - Create Partition
Thu May 24 20:58:40 2018 *N* [Main]: Executing stage - Extract Image
Thu May 24 21:00:31 2018 *N* [Main]: Executing stage - Merge /var/log files
Thu May 24 21:00:44 2018 *N* [Main]: Executing stage - Create Snapshot
Thu May 24 21:00:44 2018 *N* [Main]: Skipping 'Create Snapshot' stage.
Thu May 24 21:00:44 2018 *N* [Main]: Executing stage - Blades Configurations
Thu May 24 21:00:47 2018 *N* [Main]: Executing stage - Blink Gateway Configurations
Thu May 24 21:00:47 2018 *N* [Main]: Executing stage - Blink Updates Configurations
Thu May 24 21:00:47 2018 *N* [Main]: Skipping 'Blink Updates Configurations' stage.
Thu May 24 21:00:47 2018 *N* [Main]: Executing stage - User Updates Configurations
Thu May 24 21:00:47 2018 *N* [Main]: Skipping 'User Updates Configurations' stage.
Thu May 24 21:00:47 2018 *N* [Main]: Executing stage - Post Installation Actions
Thu May 24 21:01:00 2018 *N* [Main]: Executing stage - Finalize Installation
Thu May 24 21:01:00 2018 *N* [Main]: Total time for gateway 'Security Gateway': 0 hours 2 minutes 27 seconds
Thu May 24 21:01:00 2018 *A* [Main]: Security Gateway execution finished
Thu May 24 21:01:00 2018 *N* [Main]: Total execution time: 0 hours 2 minutes 50 seconds
Thu May 24 21:01:01 2018 *N* [Main]: The machine will go to reboot in 10 seconds!
Thu May 24 21:01:01 2018 *A* [Main]: The installation has finished successfully and is pending reboot!

[Bob_Zimmerman]

Blink appears to have been one of the building blocks of this:

https://www.checkpoint.com/products/...work-security/

Looks like a Crossbeam-NPM-in-a-box, but it scales way, way out. I have many questions.

[PhoneBoy]

We'll be showing it off at CPX.
It's quite impressive :)