Update GravityZone products offline
The GravityZone default update system requires an internet connection. When using GravityZone in an isolated network, you need to make the components and signature updates available offline as well. The information exposed hereinafter helps you configure a GravityZone offline update system for an isolated network environment.
To update one or several offline GravityZone instances located in an isolated network, you will need an additional online GravityZone instance deployed in a network with internet access, named hereinafter “online instance”. The online instance will serve as an update source for the offline instances.
At first, you will have to run an initial setup of both online and offline instances. Once the offline update system is ready, you will be able to update regularly your isolated GravityZone environment.
The phases included in the GravityZone offline update system are referenced in the index at the upper right side of the screen.
Prerequisites
A GravityZone instance installed in a network with internet access (online instance). The online instance must have:
Internet access (direct or via proxy)
Access on ports 80 and 443 (more about ports used by GravityZone in GravityZone (on-premises) communication ports).
Only the Database Server and Update Server installed roles.
One or several GravityZone instances installed in a network without internet access (offline instances).
A separate offline license key for each offline GravityZone instance. The offline key is generated upon request by Bitdefender and is based on your original license key.
Both GravityZone instances must have the same appliance version.
Best practices
It is recommended to include in the full archive only installation kits for the operating systems used in your environment. Selecting kits for all types of systems increases the archive size.
The estimated size for each archive is the following:
Lite archive may require 2.5 GB.
Full archive may require 15 GB (if you select only BEST Windows and BEST Linux kits).
It is recommended to exclude Security Server kits from the full archive if the endpoints in your environment are not configured to use Remote Scan as scan type.
It is recommended to upload the update archives to the offline instance as follows:
Lite archive: upload at least daily or as often as possible.
Full archive: upload once a month or whenever important GravityZone or BEST updates are released. For more information, refer to Release notes.
It is recommended to maintain only one full archive and one lite archive on your appliance at the same time.
Set up the online GravityZone instance
During this phase, you will deploy a GravityZone instance to a network with internet access, and then configure it to perform as an offline update server.
Deploy the latest GravityZone image to a machine with an internet connection.
Warning
You need to do this every time you want to update GravityZone in the offline environment.
Select the Advanced Settings option.
Install only the Database Server and Update Server roles.
Access the machine’s TTY terminal in your virtual environment (or connect to it via SSH).
Log in with the
bdadmin
user and the password you have set.Run the command
sudo su
to gain root privileges.Run the following commands to install the offline
gzou-mirror
package:# apt update # gzcli update # apt install gzou-mirror
The
gzou-mirror
package has the following roles:Configure the Update Server to permanently maintain the selected components in sync with Bitdefender Online Servers.
Set up a web service for the online instance, providing configuration and download options for the offline update archives.
Configure and download the initial update files
During this phase, you will configure the update archive settings via the web service installed on the online instance, and then create the archive files required for setting up the offline instance. Then, you will have to download the update files and place them on a portable media device (USB stick).
Access the web service through a URL of this form:
https://Online-Instance-Update-Server-IP-or-Hostname
, with the usernamebdadmin
and the password you have set.Configure the offline update archive as follows:
Under Components > Security Agents select the security agent kits, product updates, and signature updates you want to include in the offline update archive.
Under Components > Security Servers select the Security Server kits, product updates, and signature updates you want to include in the offline update archive.
Under Settings, edit your update archive preferences.
A CRON job installed on the online instance will check every day for available updates (kits, product updates, signature updates). A second CRON job will check every minute if new lite or full archives should be created based on the selected time interval and if there is enough free disk space available.
You can use the Full Archive creation interval (in days) and Lite Archive creation interval (in hours) options to set time intervals at which the CRON job will create the following archives:
Full archive (selected product updates + signature updates + install kits + Debian repositories)
Lite archive (selected signature updates)
To maintain previously downloaded installation kits on disk, regardless of your current kit selection use the option Keep previous files on disk, regardless of selected kits.
Click Create > Full archive to create the first full archive. Wait until the archive is created.
All archives are created in the following location:
https://Online-Instance-Update-Server-IP-or-Hostname/snapshots
Download the full update archive and the
gzou-bootstrap
file from the online instance. You have several options at hand:Via the web service: click Download archives to access the page containing the links to the update files. Click the full update archive and the
gzou-bootstrap
file links to download them on your endpoint.Use your preferred SCP/SCTP client (WinSCP, for example) to establish an SCP session with the online instance and transfer the above-mentioned files to any location in your online network. The default path on the online instance is:
/opt/bitdefender/share/gzou/snapshots
Via SAMBA share. Use a read-only SAMBA share to retrieve the offline update archives from the following location:
\\Online-Instance-Update-Server-IP-or-Hostname\gzou-snapshots
Note
The credentials for accessing the SAMBA share, if requested, are the same as the online instance credentials (bdadmin user and password).
Set up the offline GravityZone instance
During this phase, you will deploy and configure the offline instance to receive updates via the archives generated by the online instance. Unless stated otherwise, all commands must be run as root.
Deploy GravityZone to a machine from the isolated environment.
Install only the Database Server and Update Server roles.
Transfer the update archive and the
gzou-bootstrap
file downloaded from the online instance to the/home/bdadmin
directory of the offline instance using a portable media device (USB stick).Important
For the offline update to work, make sure that:
The update archive and the
gzou-bootstrap
file are in the same folder.The update archive is a full archive.
Execute the
gzou-bootstrap
file as follows:Access the machine's TTY terminal in your virtual environment (or connect to it via SSH).
Transform the
gzou-bootstrap
file into an executable:chmod +x gzou-bootstrap
Run:
./gzou-bootstrap
Choose the method of transferring the update archives to the offline instance:
Select Windows shared folder (Samba share). In this case, you will have to specify the path to a Windows share from the isolated network, where the offline instance will automatically connect to retrieve the update archives. Enter the credentials required to access the specified location.
Select SCP if you will manually transfer the files to the
/opt/bitdefender/share/gzou/snapshots/
folder of the offline instance via SCP.Note
If you want to change the transfer method at a later time:
Access the offline instance's TTY terminal in your virtual environment (or connect to it via SSH).
Log in with the
bdadmin
user and the password you have set.Run the command
sudo su
to gain root privileges.Run:
rm -f /opt/bitdefender/etc/gzou-target.json dpkg-reconfigure gzou-target
A configuration dialog will appear where you can make the changes that you want.
Switch to the offline GravityZone console command line and install the rest of the roles.
Access the offline console from your web browser and insert your license key (in offline mode).
Using offline updates
Once you have set up the GravityZone instances, follow these steps to update your offline installation:
Download the latest GravityZone image from here.
Set up the online instance as described here.
Download the latest offline update archive from the online instance to your preferred network share, as described here.
Use a USB stick to transfer the update archive to the configured Samba share from the isolated network, as described here.
The files will be automatically pulled into the following offline instance directory:
/opt/bitdefender/share/gzou/snapshots/