Update GravityZone
Bitdefender publishes all product and security content updates through the Bitdefender servers on the Internet. All updates are encrypted and digitally signed so that they cannot be tampered with.
GravityZone includes an Update Server role, designed to serve as the centralized update distribution point for your GravityZone deployment. Update Server checks for and downloads all available GravityZone updates from the Bitdefender update servers on the Internet, making them available in the local network. The GravityZone components can be configured to automatically update from the local update server instead of the Internet.
Next, each update file is parsed and its version is checked against the installed one. Newer files are downloaded locally and checked against their MD5 hash to make sure they are not altered.
If in any moment a check is not passed, the update process stops, returning an error. Otherwise, the update is considered valid and ready to be installed.
To update the GravityZone appliances installed in your environment and the installation packages of the GravityZone components, log in with a company administrator account and go to the Configuration > Update page.
Updating GravityZone appliances
Through GravityZone appliance updates, Bitdefender releases new features and improvements of existing ones. These are visible into Control Center.
Before running an update, it is recommended you check the following:
The update status
Any information or warning messages that may appear.
The changelog
To check the update status:
Go to the Configuration > Update > GravityZone Roles page.
Under the Current Status section, glance over the message that points the general status of your deployment. If GravityZone needs updating, the Update button becomes available.
Under the Infrastructure section, inspect the details for each GravityZone role deployed in your network. Because roles update independently, for each role you can view: the name of the appliance hosting it, its IP address, current version, the latest version available, and update status.
To check the changelog:
Go to the Configuration > Update > GravityZone Roles page.
Click the View changelog link. A pop-up window displays a list with all versions and changes they included.
Release Notes for each new product version are also available here.
You can update GravityZone in two ways:
Manually
Automatically
Manual update
Choose this method if you want to have full control of when the update should roll out.
To manually update GravityZone:
Go to the Configuration > Update > GravityZone Roles page.
Click the Update button (if available).
The update may take a while. Please wait until it is complete.
Clear the browser cache.
During the update, Control Center logs out all users and informs them of an in-progress update. You will be able to view a detailed progress of the update process.
When the update is complete, Control Center displays the Login page.
Automatic update
By installing updates automatically, you are sure that GravityZone is always updated with the latest features and security patches.
GravityZone has two types of automatic updates:
Product updates
Third party software updates
These updates bring new features in GravityZone and resolve issues resulted from these features.
Because updates are disruptive for GravityZone users, they are designed to run based on a schedule. You can schedule the update to take place at convenient hours. By default, automatic product updates are disabled.
To enable and schedule product updates:
Go to Configuration > Update > GravityZone Roles page.
Select the Enable automatic GravityZone product updates check box.
Set the Recurrence to Daily, Weekly (select one or more weekdays) or Monthly.
Define an Interval. You can schedule a time for the update process to begin when a new update is available.
GravityZone displays by default a warning message to all Control Center users 30 minutes before the automatic update starts. To disable the warning, clear the check box Enable the 30 minutes downtime alert before update.
GravityZone virtual appliance embeds a series of software products provided by other vendors. This type of updates aims to patch such software as soon as possible, diminishing possible security risks.
These updates run silently and do not interrupt the work with Control Center.
By default, this option is enabled. To disable this option:
Go to Configuration > Update > GravityZone Roles page.
Clear the check box Enable automatic security updates for 3rd party GravityZone components.
Third party software patches will then be released once with the GravityZone product update.
Configuring the Update Server
By default, the Update Server downloads updates from the Internet every hour. It is recommended not to change the default Update Server settings.
To check and configure the Update Server settings:
Go to the Update page in Control Center and click the Components tab.
Click the Settings button at the upper side of the pane on the left side to display the Update Server Settings window.
Under Update Server Configuration, you can check and configure the main settings.
Packages Address
The address where packages are downloaded from.
Update Address
Update Server is configured to check for and download updates from
upgrade.bitdefender.com:80
.This is a generic address that is automatically resolved to the closest server that stores Bitdefender updates in your region.
Port
When configuring the various GravityZone components to update from Update Server, you must provide this port.
The default port is
7074
.IP
The IP address of the Update Server.
Update period (hours)
If you want to change the update period, type a new value in this field. The default value is 1.
You can configure the Update Server to automatically download the endpoint kits.
Update Server can act as gateway for data sent by the Bitdefender client products installed in the network to the Bitdefender servers. This data may include anonymous reports regarding virus activity, product crash reports and data used for online registration. Enabling the gateway roles is useful for traffic control and in networks with no Internet access.
Note
You can disable the product modules that send statistical or crash data to Bitdefender Labs anytime you want. You can use policies to remotely control these options on the computers and virtual machines managed by Control Center.
Click Save.
Downloading product updates
You can view information about the existing GravityZone component packages under the Components tab.
Available information includes current version, update version (if any) and the status for update operations you initiate.
To update a GravityZone component:
Go to the Update page in Control Center and click the Components tab.
Click the component you want to update in the Product list. All available versions will be displayed in the Packages table. Select the check box corresponding to the version you want to download.
Note
New packages will be in the Not downloaded state. Once a newer version is released by Bitdefender, the oldest undownloaded version will be removed from the table.
Click Actions at the upper side of the table and select Publish. The selected version will be downloaded and the status will change accordingly. Refresh the table contents by clicking the Refresh button and check the corresponding status.
Staging updates
Staging enables you to test newer kits or product updates in an enclosed and controlled environment before publishing them in your network. The staging environment should mirror production as closely as possible for the purposes of testing. By doing this, you can maximize your chances of finding any issues that may appear in your environment, before releasing the version in production.
The staging feature also allows you to create a policy for the critical endpoints from production. You can update these endpoints only after the updates have been tested in the staging environment and on the non-critical machines from production. For more details, refer to Publishing with Update Rings.
Note
Staging is disabled by default.
Security Server (VMware with NSX) does not support staging.
BEST for Windows Legacy does not support staging. In such cases, you must set the update location to the same update server used for production or the official Bitdefender Content Delivery Network (CDN) update server: https://update-onprem.2d585.cdn.bitdefender.net.
The product and security content are initially released on Fast ring. If the feedback is positive, after a week, the same version is deployed on Slow ring. For emergency fixes, you can expect the Slow ring update within 24 hours from the Fast ring release.
In the unlikely event that an issue occurs on the Fast ring, it will be fixed before the Slow ring update. For critical issues, Slow Ring releases can be delayed or stopped entirely until a new version with the resolved issues is released, restarting the whole release cycle.
Bitdefender Endpoint Security Tools offers downgrade protection when switching between rings. For the product, when you switch from a newer version from Fast ring to Slow ring, it will not downgrade the product to the Slow ring version. For security content, it is reverted to the one currently available in the market.
Product update phases:
Fast Ring. The endpoints with a Fast ring policy will receive the newest available updates. This setting is recommended for the non-critical endpoints in production.
Slow Ring. The endpoints with a Slow ring policy will receive updates at a later date, depending on the response received from the Fast ring endpoints. It is a precautionary measure in the update process. This is the default setting.
Best practices
You can use the update rings in the following situations:
Temporary, for a specific update to patch a critical issue on an endpoint. In this case:
Switch from Slow ring to Fast ring.
Apply the update.
Switch back to Slow ring.
Permanently, to test the update and to ensure compatibility with custom, internal software. You can set some endpoints to Fast ring for early adoption and feedback, while the other ones from the organization remain on Slow ring. In this case:
Switch from Slow ring to Fast ring.
Apply the update.
To switch between rings, you have two options:
Edit the existing policy for the target endpoints:
Go to the Policies page.
Select your policy.
Go to General > Update.
On the Update ring tab, select either Fast ring or Slow ring.
Click Save.
Create a new policy. After the policy is created, you can change the update ring by editing the policy at any time.
For more information, refer to Creating policies.
Note
When you switch the ring from Fast before a Slow ring update, you receive a notification during the next update that the installed version is newer than the one available on the Update Server. The product updates as soon as a newer version is available for the Slow ring.
Prerequisites
Staging mode requires the GravityZone infrastructure to meet the following conditions:
The Update Server must be installed alone on the virtual appliance.
If you have the Update Server together with other roles on the appliance, you must follow these steps:
Delete the old Update Server role.
Deploy a new GravityZone appliance.
Important
Do not install any roles yet.
Connect the new appliance to the existing GravityZone database.
Install the Update Server role on the new appliance.
For more information on installing GravityZone roles, refer to Manage the GravityZone appliance.
The Update Server appliance must be of at least 120 GB.
The Web Console appliance must be of at least 120 GB.
Using staging
To set up the staging environment and test the latest updates you must:
To enable staging mode for GravityZone updates:
Go to the Configuration > Update page and click the Components tab.
Click the Settings button at the upper side of the pane on the left side to display the Update Server Settings window.
Select the Enable Staging check box.
Under Production Server Configuration, configure the main settings:
Packages Address
The address where packages are downloaded from:
download.bitdefender.com/SMB/Hydra/release
Update Address
The address where product updates are downloaded from:
upgrade.bitdefender.com:80
.Port
The default port is
7074
. You cannot edit this field.IP
The IP address of the Update Server. You cannot edit this field.
Update period (hours)
If you want to change the update period, type a new value in this field. The default value is 1.
The production and update server can act as gateways for data sent by the Bitdefender client products installed in the network to the Bitdefender servers. This data may include anonymous reports regarding virus activity, product crash reports and data used for online registration. Enabling the gateway roles is useful for traffic control and in networks with no Internet access.
Note
You can disable the product modules that send statistical or crash data to Bitdefender Labs anytime you want. You can use policies to remotely control these options on the computers and virtual machines managed by Control Center.
Under Staging Server Configuration, configure the following options:
Port
The default port is
7077
.IP
The IP address of the Update Server. You cannot edit this field.
Under Packages, you can configure Update Server to automatically download and publish endpoint kits.
You can also configure the maximum number of kits that you can store on the GravityZone appliance. Enter a number between 4 and 10 in the Keep maximum (kits) menu.
Under Products Update, you can configure Update Server to automatically download updates for security agents.
You can choose to also automatically publish newest downloaded versions:
Select at least one security agent from the available list.
Define the source and destination rings:
Source ring. The ring used to send the updates in the staging environment. When a version is validated by its early adopters it will be published on the slow ring. This is the default value. The newest available updates will be published on the fast ring.
Destination ring. The ring used to publish the updates in production. You can select between fast and slow.
You can also configure the maximum number of updates that you can store on the GravityZone appliance. Enter a number between 4 and 10 in the Keep maximum (updates) menu.
Click Save.
Once enabled staging, build your staging environment to start testing the available product kits and updates.
Important
Disabling staging will delete all unpublished packages and product updates.
You need to define a staging policy:
Go to the Policies page.
Select or create a policy to use in the test environment.
Under the General > Update section, enter the Staging Server address in the Update Locations table.
Configure the other policy settings as needed. For more details, refer to Configuring computer and virtual machine policies.
Click Save.
To install the latest package on the testing endpoints:
Go to the Configuration > Update page and select the Components tab.
Click Check for updates to make sure you view the latest released product version.
Click the component you want to update in the Product list.
Select a package available in the Packages table, which you want to test. You can download several kits for every product, up to the limit specified in the Update Server Settings window. When this limit is reached, the oldest version is removed from the table.
Click Actions and select Download to get the package to your GravityZone appliance.
Having the package selected, click Save to disk. The package configuration window is displayed.
Configure the package. For more information, refer to Creating Installation Packages.
Install the kit on the testing endpoints.
Monitor the behavior of the endpoints.
If the package has installed successfully and the endpoints have normal behavior, you can publish the package to the production network.
To publish a package, select it in the Packages table, click Actions at the upper side of the table and select Publish.
Important
You cannot publish packages older than the one already published.
If you encountered problems with the package, you can log a support ticket. For more details, refer to Getting Help.
To delete a package from the GravityZone appliance, click the Actions button and choose Delete from disk.
To assign the staging policy to the testing endpoints:
Go to the Network page.
Choose Computers and Virtual Machines from the views selector.
Select the group that you want from the left-side pane. All computers from the selected group are displayed in the right-side pane table.
Select the check box of the computer or group that you want. You can select one or several objects of the same type only from the same level.
Click the
Assign Policy button at the upper side of the table.
Make the necessary settings in the Policy assignment window. For more information, refer to Assigning policies.
To install the latest updates:
Go to the Configuration > Update page and select the Components tab.
Click Check for updates to make sure you view the latest released product update.
Select the Bitdefender product of your choice in the Product list.
Note
You can use staging only with updates for security agents and not for Security Servers.
Select an update available in the Updates table, which you want to test.
Click Actions and select Download to get the update to your GravityZone appliance.
You can download several updates for every product, up to the limit specified in the Update Server Settings window. When this limit is reached, the oldest version is removed from the table.
Having an update selected, click Actions and select Add to staging. The update will install on the testing endpoints, according to the policy settings. For more details refer to Defining the Staging Policy.
If the update has installed successfully and the endpoints have normal behavior, start to send out the update to the machines in production. First, update the non-critical machines to run another test before updating the critical endpoints. For more details, refer to Publishing with Update Rings.
If you encountered problems with the update, you can log a support ticket. For more details, refer to Getting Help.
To delete an unpublished update from the GravityZone appliance, click the Actions button and choose Delete. You can delete only unpublished updates.
To test the update on the non-critical endpoints from production, you must first edit the existing policies and assign them a fast ring policy.
Note
A slow ring policy is automatically assigned for all the policies you create.
Go to the Policies page.
Edit the policy setting for the non-critical endpoints in production. In the Update Ring section select Fast ring.
Note
The update published on fast ring cannot be older than the one published on the slow ring.
Publish the update on the fast ring:
Go to Configuration > Update page and select the Components tab.
Select the update in the Updates table, click the Actions button at the upper side of the table and choose Publish.
Select the fast ring option.
Note
When you first publish an update, it will be available on the fast and slow rings.
At this point, all endpoints with fast ring policy are being updated to the published version.
Monitor the behavior of the fast ring endpoints.
If the update has installed successfully and the endpoints have normal behavior, you can publish the update on the slow ring:
Go to Configuration > Update page and select the Components tab.
Select the update in the Updates table, click the Actions button at the upper side of the table and choose Publish.
Select the slow ring option.
Every endpoint from production is now updated to the version you published.
If you encountered problems with the package, you can log a support ticket. For more details, refer to technical support.
Product offline updates
GravityZone uses by default an update system connected to the Internet. For isolated networks, Bitdefender offers an alternative, making the components and security content updates available offline as well.
Prerequisites
To use offline updates, you need:
A GravityZone instance installed in a network with internet access (“online instance”). The online instance must have:
Direct internet access
Access on ports 80 and 443. For more details about the ports used by GravityZone, refer to GravityZone (on-premises) communication ports.
Only the Database and Update Server installed roles.
One or several GravityZone instances installed in a network without internet access (“offline instances”)
Both GravityZone instances must have the same appliance version
Setting up the online GravityZone instance
During this phase, you will deploy a GravityZone instance to a network with internet access, and then configure it to perform as offline update server.
Deploy GravityZone to a machine with internet connection.
Install only the Database and Update Server roles.
Access the machine's TTY terminal in your virtual environment (or connect to it via SSH).
Log in with the
bdadmin
user and the password you have set.Run the command
sudo su
to gain root privileges.Run the following commands to install the offline
gzou-mirror
package:# /opt/bitdefender/bin/pkg-update update # gzcli update # apt-get install gzou-mirror
The gzou-mirror
has the following roles:
Configure the Update Server to generate automatically offline update archives.
Set up a web service to the online instance, providing configuration and download options for the offline update archives.
Configuring and downloading the initial update files
During this phase, you will configure the update archive settings via the web service installed on the online instance, and then create the archive files required for setting up the offline instance. Then, you will have to download the update files and place them on a portable media device (USB stick).
Access the web service through a URL of this form:
https://Online-Instance-Update-Server-IP-or-Hostname
, with the usernamebdadmin
and the password you have set.Configure the offline update archive as follows:
Under Kits: select the endpoint agent kits you want to include in the offline update archive.
Under Settings, edit your update archive preferences.
A CRON job installed on the online instance will check every minute if there are new update files available and if the free disk space is bigger than 10GB. At each period set by the Archive creation interval (in hours) option, the CRON job will create the following files:
Full archive (product updates + signature updates + install kits + Debian repositories)
Lite archive (signature updates)
The archives will be created in the following location:
https://Online-Instance-Update-Server-IP-or-Hostname/snapshots
Click Create > Full archive to create the first full archive. Wait until the archive is created.
Download the full update archive and the
gzou-bootstrap
file from the online instance. You have several options at hand:Via the web service: click Download archives to access the page containing the links to the update files. Click the full update archive and the
gzou-bootstrap
file links to download them on your endpoint.Use your preferred SCP/SCTP client (WinSCP, for example) to establish a SCP session with the online instance and transfer the abovementioned files to any location in your online network. The default path on the online instance is:
/opt/bitdefender/share/gzou/snapshots
Via SAMBA share. Use a read-only SAMBA share to retrieve the offline update archives from the following location:
\\Online-Instance-Update-Server-IP-or-Hostname\gzou-snapshots
Note
The credentials for accessing the SAMBA share, if requested, are the same with the online instance credentials (
bdadmin
user and password).
Setting up the offline GravityZone instance
During this step, you will deploy and configure the offline instance to receive updates via the archives generated by the online instance. Unless stated otherwise, all commands must be run as root.
Deploy GravityZone to a machine from the isolated environment.
Install only the Database and Update Server roles.
Transfer the update archive and the
gzou-bootstrap
file downloaded from the online instance to the/home/bdadmin directory
of the offline instance using a portable media device (USB stick).Important
For the offline update to work, make sure that:
The update archive and the
gzou-bootstrap
are in the same folder.The update archive is a full archive.
Execute the
gzou-bootstrap
file as follows:Access the machine's TTY terminal in your virtual environment (or connect to it via SSH).
Transform
gzou-bootstrap
into an executable:#
chmod +x gzou-bootstrap
Run:
./gzou-bootstrap
Choose the method of transferring the update archives to the offline instance:
Select Windows shared folder (Samba share). In this case, you will have to specify the path to a Windows share from the isolated network, where the offline instance will automatically connect to retrieve the update archives. Enter the credentials required to access the specified location.
Select SCP if you will manually transfer the files to the
/opt/bitdefender/share/gzou/snapshots/
folder of the offline instance via SCP.Note
If you want to change the transfer method at a later time:
Access the offline instance's TTY terminal in your virtual environment (or connect to it via SSH).
Log in with the
bdadmin
user and the password you have set.Run the command
sudo su
to gain root privileges.Run:
#
rm -f /opt/bitdefender/etc/gzou-target.json#
dpkg-reconfigure gzou-targetThe configuration dialog will appear, where you can make the changes that you want.
Switch to the offline GravityZone console command line and install the rest of the roles.
Access the offline console from your web browser and insert your license key (in offline mode).
Using offline updates
Once you have set up the GravityZone instances, follow these steps to update your offline installation:
Download the latest offline update archive from the online instance to your preferred network share. For more details, refer to Configuring and downloading the initial update files.
Use a USB stick to transfer the update archive to the configured Samba share from the isolated network. For more details, refer to Setting Up the Offline GravityZone Instance.
The files will be automatically pulled into the following offline instance directory:
/opt/bitdefender/share/gzou/snapshots/
Using the web console
Access the web console by entering the IP/Hostname of the appliance in the web browser. You can edit the available options:
Control Center
General Settings
The Appliance Status displays the details of the last job performed (archive type, date and time), and the next scheduled job.
You have the option to:
Create security content archive
Create full archive
In the Created Archives section, you can download security content and full archives.
Select the archive(s) from the available list, and click the Download button.
You can also view the available space on the appliance disk.
You can define a download schedule for the GravityZone kits.
Click the Edit Settings button.
Select one or more kits from the Available Kits list.
In the Schedule section, you can define an interval for creating the archives, as well as the number of archives to keep on disk.
Click the Apply button to save your changes.