Skip to main content

Update GravityZone products offline

The GravityZone default update system requires an internet connection. When using GravityZone in an isolated network, you need to make the components and signature updates available offline as well. The information exposed hereinafter helps you configure a GravityZone offline update system for an isolated network environment.

To update one or several offline GravityZone instances located in an isolated network, you will need an additional online GravityZone instance deployed in a network with internet access, named hereinafter “online instance”. The online instance will serve as an update source for the offline instances.

At first, you will have to run an initial setup of both online and offline instances. Once the offline update system is ready, you will be able to update regularly your isolated GravityZone environment.

The phases included in the GravityZone offline update system are referenced in the index at the upper right side of the screen.

15707_1.png

Prerequisites

  • A GravityZone instance installed in a network with internet access (online instance). The online instance must have:

  • One or several GravityZone instances installed in a network without internet access (offline instances).

  • A separate offline license key for each offline GravityZone instance. The offline key is generated upon request by Bitdefender and is based on your original license key.

  • Both GravityZone instances must have the same appliance version.

Best practices

  • It is recommended to include in the full archive only installation kits for the operating systems used in your environment. Selecting kits for all types of systems increases the archive size.

    The estimated size for each archive is the following:

    • Lite archive may require 2.5 GB.

    • Full archive may require 15 GB (if you select only BEST Windows and BEST Linux kits).

  • It is recommended to exclude Security Server kits from the full archive if the endpoints in your environment are not configured to use Remote Scan as scan type.

  • It is recommended to upload the update archives to the offline instance as follows:

    • Lite archive: upload at least daily or as often as possible.

    • Full archive: upload once a month or whenever important GravityZone or BEST updates are released. For more information, refer to Release notes.

  • It is recommended to maintain only one full archive and one lite archive on your appliance at the same time.

Set up the online GravityZone instance

During this phase, you will deploy a GravityZone instance to a network with internet access, and then configure it to perform as offline update server.

  1. Deploy the latest GravityZone image to a machine with internet connection.

    Warning

    You need to do this every time you want to update GravityZone in the offline environment.

  2. Select the Advanced Settings option.

  3. Install only the Database Server and Update Server roles.

  4. Access the machine’s TTY terminal in your virtual environment (or connect to it via SSH).

  5. Log in with the bdadmin user and the password you have set.

  6. Run the command sudo su to gain root privileges.

  7. Run the following commands to install the offline gzou-mirror package:

    # apt update

    # gzcli update

    # apt install gzou-mirror

    The gzou-mirror package has the following roles:

    • Configure the Update Server to permanently maintain the selected components in sync with Bitdefender Online Servers.

    • Set up a web service to the online instance, providing configuration and download options for the offline update archives.

Configure and download the initial update files

During this phase, you will configure the update archive settings via the web service installed on the online instance, and then create the archive files required for setting up the offline instance. Then, you will have to download the update files and place them on a portable media device (USB stick).

  1. Access the web service through a URL of this form: https://Online-Instance-Update-Server-IP-or-Hostname, with the username bdadmin and the password you have set.

    gravityzone_online_instance_op_459978_en.png
  2. Configure the offline update archive as follows:

    • Under Components > Security Agents select the security agent kits, product updates, and signature updates you want to include in the offline update archive.

    • Under Components > Security Servers select the Security Server kits, product updates, and signature updates you want to include in the offline update archive.

    • Under Settings, edit your update archive preferences.

      A CRON job installed on the online instance will check every day for available updates (kits, product updates, signature updates). A second CRON job will check every minute if new lite or full archives should be created based on the selected time interval and if there is enough free disk space available.

      You can use the Full Archive creation interval (in days) and Lite Archive creation interval (in hours) options to set time intervals at which the CRON job will create the following archives:

      • Full archive (selected product updates + signature updates + install kits + Debian repositories)

      • Lite archive (selected signature updates)

      To maintain previously downloaded installation kits on disk, regardless of your current kit selection use the option Keep previous files on disk, regardless of selected kits.

  3. Click Create > Full archive to create the first full archive. Wait until the archive is created.

    gravityzone_creating_update_archive_op_459978_en.png

    All archives are created in the following location:

    https://Online-Instance-Update-Server-IP-or-Hostname/snapshots

  4. Download the full update archive and the gzou-bootstrap file from the online instance. You have several options at hand:

    • Via the web service: click Download archives to access the page containing the links to the update files. Click the full update archive and the gzou-bootstrap file links to download them on your endpoint.

    • Use your preferred SCP/SCTP client (WinSCP, for example) to establish a SCP session with the online instance and transfer the above-mentioned files to any location in your online network. The default path on the online instance is:

      /opt/bitdefender/share/gzou/snapshots

      15707_4.png
    • Via SAMBA share. Use a read-only SAMBA share to retrieve the offline update archives from the following location:

      \\Online-Instance-Update-Server-IP-or-Hostname\gzou-snapshots

      Note

      The credentials for accessing the SAMBA share, if requested, are the same with the online instance credentials (bdadmin user and password).

Set up the offline GravityZone instance

During this phase, you will deploy and configure the offline instance to receive updates via the archives generated by the online instance. Unless stated otherwise, all commands must be run as root.

  1. Deploy GravityZone to a machine from the isolated environment.

  2. Install only the Database Server and Update Server roles.

  3. Transfer the update archive and the gzou-bootstrap file downloaded from the online instance to the /home/bdadmin directory of the offline instance using a portable media device (USB stick).

    Important

    For the offline update to work, make sure that:

    • The update archive and the gzou-bootstrap file are in the same folder.

    • The update archive is a full archive.

  4. Execute the gzou-bootstrap file as follows:

    1. Access the machine's TTY terminal in your virtual environment (or connect to it via SSH).

    2. Transform the gzou-bootstrap file into an executable: chmod +x gzou-bootstrap

    3. Run: ./gzou-bootstrap

  5. Choose the method of transferring the update archives to the offline instance:

    1. Select Windows shared folder (Samba share). In this case, you will have to specify the path to a Windows share from the isolated network, where the offline instance will automatically connect to retrieve the update archives. Enter the credentials required to access the specified location.

    2. Select SCP if you will manually transfer the files to the /opt/bitdefender/share/gzou/snapshots/ folder of the offline instance via SCP.

      15707_5.png

      Note

      If you want to change the transfer method at a later time:

      1. Access the offline instance's TTY terminal in your virtual environment (or connect to it via SSH).

      2. Log in with the bdadmin user and the password you have set.

      3. Run the command sudo su to gain root privileges.

      4. Run:

        rm -f /opt/bitdefender/etc/gzou-target.json

        dpkg-reconfigure gzou-target

        A configuration dialog will appear where you can make the changes that you want.

  6. Switch to the offline GravityZone console command line and install the rest of the roles.

  7. Access the offline console from your web browser and insert your license key (in offline mode).

Using offline updates

Once you have set up the GravityZone instances, follow these steps to update your offline installation:

  1. Download the latest GravityZone image from here.

  2. Set up the online instance as described here.

  3. Download the latest offline update archive from the online instance to your preferred network share, as described here.

  4. Use a USB stick to transfer the update archive to the configured Samba share from the isolated network, as described here.

    The files will be automatically pulled into the following offline instance directory:

    /opt/bitdefender/share/gzou/snapshots/