Skip to main content
Version: 8.4.X

Patch Management for Air Gap Networks

Air gap networks are closed networks with no interface connected to the outside (Internet) world. The resources are generally kept in an isolated network to protect them from vulnerabilities. Hence, if a machine is placed in such a network, a physical medium, like CD/USB drive, is required to transfer the data manually between them.

Now, let's understand its architecture and procedure to know more about patch management in such an environment.

Architecture

Architecture

As shown above, when the ServiceOps application is installed in a closed network,

  1. The Patch Sync Application should be installed in a separate machine having an Internet connection.
  2. Once installed, sync the patch database to download the patches for the required OS.
  3. Copy the database to a physical drive like a CD/USB drive and manually move it to the ServiceOps server.
  4. In ServiceOps, the missing patches will be scanned and discovered. Then, copy these into the physical drive and export the missing patch details to the patch sync application.
  5. Download the patches from the Internet, copy them to the physical drive, and then transfer them to the ServiceOps server again.

Here, the Patch Management Utility application is installed in a computer having an Internet connection to import and download the patches for the ServiceOps application located in the Closed network.

Procedure

To perform patch management in a closed network, follow the below steps:

  1. Download the PatchManagementUtility.exe file on the computer that has an Internet connection.

    note

    The free space required in the target machine is based on the patches to be downloaded.

  2. Run the .exe file with administrator rights.

  3. The following screen appears. Register the user by entering the below details:

    • Name: Name of the client.
    • Email: Email address of the client.
    • Activation Code: Agent activation code can be taken from the ServiceOps > Admin Settings > Organization > Account > License Details page.

    Register User

    Once done, click Register, and a confirmation message "User Registered!" will appear. Click OK, and the following screen appears.

  4. In the Patch Sync tab,

    Patch Sync Tab

    1. Create a folder in the 'C' drive of your system to store the Patch DB Dump.

      note

      The folder name should not contain spaces.

    2. Once created, select the location (1) where the Patch DB Dump should be downloaded. Here, the "PatchDownload" folder is used.

    3. Select the OS (2) for which you want to download the Patch DB Dump. You can select multiple OS.

    4. Click Get DB (3) to start the Patch DB download process. Once the patches are downloaded from the Central Patch Repository, you will get a .7z file. Copy the file into a physical drive and upload it to the ServiceOps server.

    tip

    Patch Sync configuration is a one-time process.

  5. In the ServiceOps server, upload the .7z file at the below location.

    /opt/flotomate/main-server/config

  6. Unzip the file using the below command:

    Syntax for Ubuntu: --- 7z x {filename}

    Example: --- 7z x airgappatch.7z

  7. Grant fmt user permission to the file using the below command.

    Syntax: chown -R fmtuser:fmtusergroup {filename}

    Example: chown -R fmtuser:fmtusergroup {airgapaptch}

  8. In ServiceOps, sync the patch database manually using the Update Now button from Admin > Patch Management > Patch Settings > Update Patch Database tab.

    note

    Schedule and Third-Party patch flags must be disabled.

Sync Patch in ServiceOps

  1. Once the patch sync process is completed, add Computers to the End Points Scope.

Add Computers

  1. Next, navigate to the Patch Management > Patches page. Check for the missing Patches and download them by clicking the Download Patch icon. A JSON file containing the list of patches will be downloaded.

Download Missing Patches

  1. In the Patch Sync application, in the Patch Download tab,

    Select the JSON file received from ServiceOps, using the Browse button (1), and click Import (2). Here, the "unix_centos.json" file is used as an example. Once done, the patch list will appear in the below pane (3).

Import Patches

  1. Next, create a folder (folder name should be without spaces) to save the downloaded patches in the 'C' drive of your system. Here, the "PatchDownload" folder is used.
  2. Select the patches to be downloaded (1), click Browse (2) to select the Download Location (3), and click Download. The imported patches will get downloaded in the selected folder.

Download Patches

  1. Once downloaded, you can view the report by clicking the View Report button. Also, you can view the failed patches by enabling the Show Failed Record option.

View Report

  1. Next, on the ServiceOps server, navigate to the filedb folder located at /opt/flotomate/file-server/filedb and check if the tenant folder has been created. If the folder does not exist, create it using the command below and grant it the appropriate fmt user permissions.

    Syntax: mkdir {tenant-name}

    Example: mkdir apolo

  2. Once the tenant folder is created, create the patch folder in it using the below command.

    Syntax: mkdir {patch-folder-name}

    Example: mkdir patch

  3. Next, you can take the downloaded zip file in a physical drive, upload it to the main server, and move it to the ServiceOps application in the Air Gap network at the below path.

    Path: /opt/flotomate/fileserver/filedb/{tenant_name}/patch

    Example: /opt/flotomate/fileserver/filedb/apolo/patch

  4. Next, unzip the file using the below command.

    Syntax for Ubuntu: --- 7z x {filename}

  5. Grant fmt permission to the tenant folder using the below command:

    chown -R fmtuser:fmtusergroup {tenant_name}

  1. Now you can deploy the patches and carry out the patch management process in a closed network.