Skip to main content
Version: 8.4

Patch Management for Air Gap Networks

Air gap networks are closed networks with no interface connected to the outside (Internet) world. The resources are generally kept in an isolated network to protect them from vulnerabilities. Hence, if a machine is placed in such a network, a physical medium, like CD/USB drive, is required to transfer the data manually between them.

Now, let's understand its architecture and procedure to know more about patch management in such an environment.

Architecture

Architecture

As shown above, when the ServiceOps application is installed in a closed network,

  1. The Patch Sync Application should be installed in a separate machine having an Internet connection.
  2. Once installed, sync the patch database to download the patches for the required OS.
  3. Copy the database to a physical drive like a CD/USB drive and manually move it to the ServiceOps server.
  4. In ServiceOps, the missing patches will be scanned and discovered. Then, copy these into the physical drive and export the missing patch details to the patch sync application.
  5. Download the patches from the Internet, copy them to the physical drive, and then transfer them to the ServiceOps server again.

Here, the Patch Management Utility application is installed in a computer having an Internet connection to import and download the patches for the ServiceOps application located in the Closed network.

Procedure

To perform patch management in a closed network, follow the below steps:

  1. Download the PatchManagementUtility.exe file on the computer that has an Internet connection.

    note

    The free space required in the target machine is based on the patches to be downloaded.

  2. Run the .exe file with administrator rights.

  3. The following screen appears. Register the user by entering the below details: • Name: Name of the client. • Email: Email address of the client. • Activation Code: Agent activation code can be taken from the ServiceOps > Admin Settings > Organization > Account > License Details page.

    Register User

    Once done, click Register, and a confirmation message "User Registered!" will appear. Click OK, and the following screen appears.

  4. In the Patch Sync tab,

    Patch Sync Tab

    1. Create a folder in your system to store the Patch DB Dump.
    2. Once created, select the location (1) where the Patch DB Dump should be downloaded. Here, the "PatchDbDumpLocation" folder is used.
    3. Select the OS (2) for which you want to download the Patch DB Dump. You can select multiple OS.
    4. Click Get DB (3) to start the Patch DB download process. Once the patches are downloaded from the Central Patch Repository, you will get a zip file. Copy the zip file into a physical drive and upload it to the ServiceOps server.
    tip

    Patch Sync configuration is a one-time process.

  5. In the ServiceOps server, upload the zip file at the below location.

    /opt/flotomate/main-server/config

  6. Unzip the file and grant fmt user permission using the below command.

    chown -R fmtuser:fmtusergroup airgap

  7. In ServiceOps, sync the patch database from Admin > Patch Management > Patch Settings > Update Patch Database tab.

Sync Patch in ServiceOps

  1. Once the patch sync process is completed, add the Computers in the End Points Scope.

Add Computers

  1. Next, navigate to Patch Management > Patches page. Check for the missing Patches and download them by clicking the Download Patch icon. A JSON file will get downloaded.

Download Missing Patches

  1. In the Patch Sync application, in the Patch Download tab,

Select the JSON file received from ServiceOps, using the Browse button (1), and click Import (2). Here, the "unix_centos.json" file is used as an example. Once done, the patch list will appear in the below pane (3).

Import Patches

  1. Next, create a folder to save the downloaded patches in the system. Here, the "PatchDownload" folder is used.
  2. Select the patches to be downloaded (1), click Browse (2) to select the Download Location (3), and click Download. The imported patches will get downloaded in the selected folder.

Download Patches

  1. Once downloaded, you can view the report by clicking the View Report button. Also, you can view the failed patches by enabling the Show Failed Record option.

View Report

  1. Next, in the ServiceOps server, check in the filedb folder whether the tenant folder is created. If not, create the folder using the below command and grant it the fmt user permission.

    mkdir {tenant-name}

  2. Once the tenant folder is created, create the patch folder in it using the below command.

    mkdir {patch-folder-name}

  3. Next, you can take the downloaded zip file in a physical drive, upload it to the main server, and move it to the ServiceOps application in the Air Gap network at the below path.

    /opt/flotomate/fileserver/filedb/{tenant_name}/patch

  4. Next, unzip the file.

  5. Now you can deploy the patches and carry out the patch management process in a closed network.