ON PREMISES SOLUTIONS

Update GravityZone

Bitdefender publishes all product and security content updates through the Bitdefender servers on the Internet. All updates are encrypted and digitally signed so that they cannot be tampered with.

GravityZone includes an Update Server role, designed to serve as the centralized update distribution point for your GravityZone deployment. Update Server checks for and downloads all available GravityZone updates from the Bitdefender update servers on the Internet, making them available in the local network. The GravityZone components can be configured to automatically update from the local update server instead of the Internet.

Next, each update file is parsed and its version is checked against the installed one. Newer files are downloaded locally and checked against their MD5 hash to make sure they are not altered.

If in any moment a check is not passed, the update process stops, returning an error. Otherwise, the update is considered valid and ready to be installed.

To update the GravityZone appliances installed in your environment and the installation packages of the GravityZone components, log in with a company administrator account and go to the Configuration > Update page.

Updating GravityZone appliances

Through GravityZone appliance updates, Bitdefender releases new features and improvements of existing ones. These are visible into Control Center.

Before running an update, it is recommended you check the following:

  • The update status

  • Any information or warning messages that may appear.

  • The changelog

To check the update status:

  1. Go to the Configuration > Update > GravityZone Roles page.

  2. Under the Current Status section, glance over the message that points the general status of your deployment. If GravityZone needs updating, the Update button becomes available.

  3. Under the Infrastructure section, inspect the details for each GravityZone role deployed in your network. Because roles update independently, for each role you can view: the name of the appliance hosting it, its IP address, current version, the latest version available, and update status.

To check the changelog:

  1. Go to the Configuration > Update > GravityZone Roles page.

  2. Click the View changelog link. A pop-up window displays a list with all versions and changes they included.

    Release Notes for each new product version are also available here.

You can update GravityZone in two ways:

  • Manually

  • Automatically

Manual update

Choose this method if you want to have full control of when the update should roll out.

To manually update GravityZone:

  1. Go to the Configuration > Update > GravityZone Roles page.

  2. Click the Update button (if available).

    The update may take a while. Please wait until it is complete.

  3. Clear the browser cache.

During the update, Control Center logs out all users and informs them of an in-progress update. You will be able to view a detailed progress of the update process.

When the update is complete, Control Center displays the Login page.

Automatic update

By installing updates automatically, you are sure that GravityZone is always updated with the latest features and security patches.

GravityZone has two types of automatic updates:

  • Product updates

  • Third party software updates

Product updates

These updates bring new features in GravityZone and resolve issues resulted from these features.

Because updates are disruptive for GravityZone users, they are designed to run based on a schedule. You can schedule the update to take place at convenient hours. By default, automatic product updates are disabled.

To enable and schedule product updates:

  1. Go to Configuration > Update > GravityZone Roles page.

  2. Select the Enable automatic GravityZone product updates check box.

  3. Set the Recurrence to Daily, Weekly (select one or more weekdays) or Monthly.

  4. Define an Interval. You can schedule a time for the update process to begin when a new update is available.

GravityZone displays by default a warning message to all Control Center users 30 minutes before the automatic update starts. To disable the warning, clear the check box Enable the 30 minutes downtime alert before update.

Third party software updates

GravityZone virtual appliance embeds a series of software products provided by other vendors. This type of updates aims to patch such software as soon as possible, diminishing possible security risks.

These updates run silently and do not interrupt the work with Control Center.

By default, this option is enabled. To disable this option:

  1. Go to Configuration > Update > GravityZone Roles page.

  2. Clear the check box Enable automatic security updates for 3rd party GravityZone components.

    Third party software patches will then be released once with the GravityZone product update.

Configuring the Update Server

By default, the Update Server downloads updates from the Internet every hour. It is recommended not to change the default Update Server settings.

To check and configure the Update Server settings:

  1. Go to the Update page in Control Center and click the Components tab.

  2. Click the Settings button at the upper side of the pane on the left side to display the Update Server Settings window.

  3. Under Update Server Configuration, you can check and configure the main settings.

    • Packages Address

      The address where packages are downloaded from.

    • Update Address

      Update Server is configured to check for and download updates from upgrade.bitdefender.com:80.

      This is a generic address that is automatically resolved to the closest server that stores Bitdefender updates in your region.

    • Port

      When configuring the various GravityZone components to update from Update Server, you must provide this port.

      The default port is 7074.

    • IP

      The IP address of the Update Server.

    • Update period (hours)

      If you want to change the update period, type a new value in this field. The default value is 1.

  4. You can configure the Update Server to automatically download the endpoint kits.

  5. Update Server can act as gateway for data sent by the Bitdefender client products installed in the network to the Bitdefender servers. This data may include anonymous reports regarding virus activity, product crash reports and data used for online registration. Enabling the gateway roles is useful for traffic control and in networks with no Internet access.

    Note

    You can disable the product modules that send statistical or crash data to Bitdefender Labs anytime you want. You can use policies to remotely control these options on the computers and virtual machines managed by Control Center.

  6. Click Save.

Downloading product updates

You can view information about the existing GravityZone component packages under the Components tab.

Available information includes current version, update version (if any) and the status for update operations you initiate.

To update a GravityZone component:

  1. Go to the Update page in Control Center and click the Components tab.

  2. Click the component you want to update in the Product list. All available versions will be displayed in the Packages table. Select the check box corresponding to the version you want to download.

    Note

    New packages will be in the Not downloaded state. Once a newer version is released by Bitdefender, the oldest undownloaded version will be removed from the table.

  3. Click Actions at the upper side of the table and select Publish. The selected version will be downloaded and the status will change accordingly. Refresh the table contents by clicking the Refresh button and check the corresponding status.

Staging updates

Staging enables you to test newer kits or product updates in an enclosed and controlled environment before publishing them in your network. The staging environment should mirror production as closely as possible for the purposes of testing. By doing this, you can maximize your chances of finding any issues that may appear in your environment, before releasing the version in production.

The staging feature also allows you to create a policy for the critical endpoints from production. You can update these endpoints only after the updates have been tested in the staging environment and on the non-critical machines from production. For more details, refer to Publishing with Update Rings.

Note

  • Staging is disabled by default.

  • Security Server (VMware with NSX) does not support staging.

  • BEST for Windows Legacy does not support staging. The legacy endpoints on staging location must be moved to the production location.

Prerequisites

Staging mode requires the GravityZone infrastructure to meet the following conditions:

  • The Update Server must be installed alone on the virtual appliance.

    If you have the Update Server together with other roles on the appliance, you must follow these steps:

    1. Delete the old Update Server role.

    2. Deploy a new GravityZone appliance.

      Important

      Do not install any roles yet.

    3. Connect the new appliance to the existing GravityZone database.

    4. Install the Update Server role on the new appliance.

    For more information on installing GravityZone roles, refer to Manage the GravityZone appliance.

  • The Update Server appliance must be of at least 120 GB.

  • The Web Console appliance must be of at least 120 GB.

Using staging

To set up the staging environment and test the latest updates you must:

Enabling staging

To enable staging mode for GravityZone updates:

  1. Go to the Configuration > Update page and click the Components tab.

  2. Click the Settings button at the upper side of the pane on the left side to display the Update Server Settings window.

  3. Select the Enable Staging check box.

  4. Under Production Server Configuration, configure the main settings:

    • Packages Address

      The address where packages are downloaded from:download.bitdefender.com/SMB/Hydra/release

    • Update Address

      The address where product updates are downloaded from:upgrade.bitdefender.com:80.

    • Port

      The default port is 7074. You cannot edit this field.

    • IP

      The IP address of the Update Server. You cannot edit this field.

    • Update period (hours)

      If you want to change the update period, type a new value in this field. The default value is 1.

  5. The production and update server can act as gateways for data sent by the Bitdefender client products installed in the network to the Bitdefender servers. This data may include anonymous reports regarding virus activity, product crash reports and data used for online registration. Enabling the gateway roles is useful for traffic control and in networks with no Internet access.

    Note

    You can disable the product modules that send statistical or crash data to Bitdefender Labs anytime you want. You can use policies to remotely control these options on the computers and virtual machines managed by Control Center.

  6. Under Staging Server Configuration, configure the following options:

    • Port

      The default port is 7077.

    • IP

      The IP address of the Update Server. You cannot edit this field.

  7. Under Packages, you can configure Update Server to automatically download and publish endpoint kits.

    staging_packages_auto.png

    You can also configure the maximum number of kits that you can store on the GravityZone appliance. Enter a number between 4 and 10 in the Keep maximum (kits) menu.

  8. Under Products Update, you can configure Update Server to automatically download updates for security agents.

    update_staging_rings.png

    You can choose to also automatically publish newest downloaded versions:

    1. Select at least one security agent from the available list.

    2. Define the source and destination rings:

    • Source ring. The ring used to send the updates in the staging environment. When a version is validated by its early adopters it will be published on the slow ring. This is the default value. The newest available updates will be published on the fast ring.

    • Destination ring. The ring used to publish the updates in production. You can select between fast and slow.

    You can also configure the maximum number of updates that you can store on the GravityZone appliance. Enter a number between 4 and 10 in the Keep maximum (updates) menu.

  9. Click Save.

Once enabled staging, build your staging environment to start testing the available product kits and updates.

Important

Disabling staging will delete all unpublished packages and product updates.

Defining the staging policy

You need to define a staging policy:

  1. Go to the Policies page.

  2. Select or create a policy to use in the test environment.

  3. Under the General > Update section, enter the Staging Server address in the Update Locations table.

  4. Configure the other policy settings as needed. For more details, refer to the Security Policies chapter from the GravityZone Administrators Guide.

  5. Click Save.

Staging packages

To install the latest package on the testing endpoints:

  1. Go to the Configuration > Update page and select the Components tab.

  2. Click Check for updates to make sure you view the latest released product version.

  3. Click the component you want to update in the Product list.

  4. Select a package available in the Packages table, which you want to test. You can download several kits for every product, up to the limit specified in the Update Server Settings window. When this limit is reached, the oldest version is removed from the table.

  5. Click Actions and select Download to get the package to your GravityZone appliance.

  6. Having the package selected, click Save to disk. The package configuration window is displayed.

  7. Configure the package. For more information, refer to Creating Installation Packages.Installing security agents

  8. Install the kit on the testing endpoints.

  9. Monitor the behavior of the endpoints.

  10. If the package has installed successfully and the endpoints have normal behavior, you can publish the package to the production network.

    To publish a package, select it in the Packages table, click Actions at the upper side of the table and select Publish.

    Important

    You cannot publish packages older than the one already published.

  11. If you encountered problems with the package, you can log a support ticket. For more details, refer to Getting Help.Getting help

    To delete a package from the GravityZone appliance, click the Actions button and choose Delete from disk.

Assigning the staging policy

To assign the staging policy to the testing endpoints:

  1. Go to the Network page.

  2. Choose Computers and Virtual Machines from the views selector.

  3. Select the group that you want from the left-side pane. All computers from the selected group are displayed in the right-side pane table.

  4. Select the check box of the computer or group that you want. You can select one or several objects of the same type only from the same level.

  5. Click the policy.png Assign Policy button at the upper side of the table.

  6. Make the necessary settings in the Policy assignment window. For more information, refer to Security Policies > Managing Policies > Assigning Policies to Endpoints chapter from the GravityZone Administrators Guide.

Staging product updates

To install the latest updates:

  1. Go to the Configuration > Update page and select the Components tab.

  2. Click Check for updates to make sure you view the latest released product update.

  3. Select the Bitdefender product of your choice in the Product list.

    Note

    You can use staging only with updates for security agents and not for Security Servers.

  4. Select an update available in the Updates table, which you want to test.

  5. Click Actions and select Download to get the update to your GravityZone appliance.

    You can download several updates for every product, up to the limit specified in the Update Server Settings window. When this limit is reached, the oldest version is removed from the table.

  6. Having an update selected, click Actions and select Add to staging. The update will install on the testing endpoints, according to the policy settings. For more details refer to Defining the Staging Policy.

  7. If the update has installed successfully and the endpoints have normal behavior, start to send out the update to the machines in production. First, update the non-critical machines to run another test before updating the critical endpoints. For more details, refer to Publishing with Update Rings.

  8. If you encountered problems with the update, you can log a support ticket. For more details, refer to Getting Help.Getting help

    To delete an unpublished update from the GravityZone appliance, click the Actions button and choose Delete. You can delete only unpublished updates.

Publishing with update rings

To test the update on the non-critical endpoints from production, you must first edit the existing policies and assign them a fast ring policy.

Note

A slow ring policy is automatically assigned for all the policies you create.

  1. Go to the Policies page.

  2. Edit the policy setting for the non-critical endpoints in production. In the Update Ring section select Fast ring.

    Note

    The update published on fast ring cannot be older than the one published on the slow ring.

  3. Publish the update on the fast ring:

    1. Go to Configuration > Update page and select the Components tab.

    2. Select the update in the Updates table, click the Actions button at the upper side of the table and choose Publish.

    3. Select the fast ring option.

      Note

      When you first publish an update, it will be available on the fast and slow rings.

      At this point, all endpoints with fast ring policy are being updated to the published version.

  4. Monitor the behavior of the fast ring endpoints.

  5. If the update has installed successfully and the endpoints have normal behavior, you can publish the update on the slow ring:

    1. Go to Configuration > Update page and select the Components tab.

    2. Select the update in the Updates table, click the Actions button at the upper side of the table and choose Publish.

    3. Select the slow ring option.

      Every endpoint from production is now updated to the version you published.

  6. If you encountered problems with the package, you can log a support ticket. For more details, refer to TECHNICAL SUPPORT.TECHNICAL SUPPORT

Product offline updates

GravityZone uses by default an update system connected to the Internet. For isolated networks, Bitdefender offers an alternative, making the components and security content updates available offline as well.

Prerequisites

To use offline updates, you need:

  • A GravityZone instance installed in a network with internet access (“online instance”). The online instance must have:

  • One or several GravityZone instances installed in a network without internet access (“offline instances”)

  • Both GravityZone instances must have the same appliance version

Setting up the online GravityZone instance

During this phase, you will deploy a GravityZone instance to a network with internet access, and then configure it to perform as offline update server.

  1. Deploy GravityZone to a machine with internet connection.

  2. Install only the Database and Update Server roles.

  3. Access the machine's TTY terminal in your virtual environment (or connect to it via SSH).

  4. Log in with the bdadmin user and the password you have set.

  5. Run the command sudo su to gain root privileges.

  6. Run the following commands to install the offline gzou-mirror package:

    # /opt/bitdefender/bin/pkg-update update # gzcli update # apt-get install gzou-mirror

The gzou-mirror has the following roles:

  • Configure the Update Server to generate automatically offline update archives.

  • Set up a web service to the online instance, providing configuration and download options for the offline update archives.

Configuring and downloading the initial update files

During this phase, you will configure the update archive settings via the web service installed on the online instance, and then create the archive files required for setting up the offline update.offline.offline instance. Then, you will have to download the update files and place them to a portable media device (USB stick).

  1. Access the web service through a URL of this form: https://Online-Instance-Update-Server-IP-or-Hostname, with the username bdadmin and the password you have set.

    offline-upd_web-service.png
  2. Configure the offline update archive as follows:

    • Under Kits: select the endpoint agent kits you want to include in the offline update archive.

    • Under Settings, edit your update archive preferences.

      A CRON job installed on the online instance will check every minute if there are new update files available and if the free disk space is bigger than 10GB. At each period set by the Archive creation interval (in hours) option, the CRON job will create the following files:

      • Full archive (product + security content), when new update files are available

      • Lite archive (security content only), when there are no new update files

      The archives will be created in the following location:

      https://Online-Instance-Update-Server-IP-or-Hostname/snapshots

  3. Click Create > Full archive to create the first full archive. Wait until the archive is created.

    offline-upd_web-service_create.png
  4. Download the full update archive and the gzou-bootstrap file from the online instance. You have several options at hand:

    • Via the web service: click Download archives to access the page containing the links to the update files. Click the full update archive and the gzou-bootstrap file links to download them on your endpoint.

    • Use your preferred SCP/SCTP client (WinSCP, for example) to establish a SCP session with the online instance and transfer the abovementioned files to any location in your online network. The default path on the online instance is:

      /opt/bitdefender/share/gzou/snapshots

      offline-upd_scp.png
    • Via SAMBA share. Use a read-only SAMBA share to retrieve the offline update archives from the following location:

      \\Online-Instance-Update-Server-IP-or-Hostname\gzou-snapshots

      Note

      The credentials for accessing the SAMBA share, if requested, are the same with the online instance credentials (bdadmin user and password).

Setting up the offline GravityZone instance

During this step, you will deploy and configure the offline instance to receive updates via the archives generated by the online instance. Unless stated otherwise, all commands must be run as root.

  1. Deploy GravityZone to a machine from the isolated environment.

  2. Install only the Database and Update Server roles.

  3. Transfer the update archive and the gzou-bootstrap file downloaded from the online instance to the /home/bdadmin directory of the offline instance using a portable media device (USB stick).

    Important

    For the offline update to work, make sure that:

    • The update archive and the gzou-bootstrap are in the same folder.

    • The update archive is a full archive.

  4. Execute the gzou-bootstrap file as follows:

    1. Access the machine's TTY terminal in your virtual environment (or connect to it via SSH).

    2. Transform gzou-bootstrap into an executable:

      #chmod +x gzou-bootstrap       
    3. Run: ./gzou-bootstrap

  5. Choose the method of transferring the update archives to the offline instance:

    • Select Windows shared folder (Samba share). In this case, you will have to specify the path to a Windows share from the isolated network, where the offline instance will automatically connect to retrieve the update archives. Enter the credentials required to access the specified location.

    • Select SCP if you will manually transfer the files to the /opt/bitdefender/share/gzou/snapshots/ folder of the offline instance via SCP.

      offline-upd_reconfig.png

      Note

      If you want to change the transfer method at a later time:

      1. Access the offline instance's TTY terminal in your virtual environment (or connect to it via SSH).

      2. Log in with the bdadmin user and the password you have set.

      3. Run the command sudo su to gain root privileges.

      4. Run:

        # rm -f /opt/bitdefender/etc/gzou-target.json # dpkg-reconfigure gzou-target

        The configuration dialog will appear, where you can make the changes that you want.

  6. Switch to the offline GravityZone console command line and install the rest of the roles.

  7. Access the offline console from your web browser and insert your license key (in offline mode).

Using offline updates

Once you have set up the GravityZone instances, follow these steps to update your offline installation:

  1. Download the latest offline update archive from the online instance to your preferred network share. For more details, refer to Configuring and downloading the initial update files.

  2. Use a USB stick to transfer the update archive to the configured Samba share from the isolated network. For more details, refer to Setting Up the Offline GravityZone Instance.

    The files will be automatically pulled into the following offline instance directory:

    /opt/bitdefender/share/gzou/snapshots/

Using the web console

Access the web console by entering the IP/Hostname of the appliance in the web browser. You can edit the available options:

  • Control Center

  • General Settings

Control Center

The Appliance Status displays the details of the last job performed (archive type, date and time), and the next scheduled job.

You have the option to:

  • Create security content archive

  • Create full archive

In the Created Archives section, you can download security content and full archives.

Select the archive(s) from the available list, and click the Download button.

You can also view the available space on the appliance disk.

General settings

You can define a download schedule for the GravityZone kits.

  1. Click the Edit Settings button.

  2. Select one or more kits from the Available Kits list.

  3. In the Schedule section, you can define an interval for creating the archives, as well as the number of archives to keep on disk.

  4. Click the Apply button to save your changes.