Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Workflow Template - Zero Day Patch

Created: 25 Oct 2013 • Updated: 25 Oct 2013 | 17 comments
Jason Short's picture
+8 8 Votes
Login to vote
Symantec single video player.

About the Zero Day Patch Template

The Zero Day Patch Workflow Template runs on a schedule to automatically on a schedule to identify, stage and create policies for bulletins/patches that meet a pre-defined set of criteria.  

The above video and attached document will help you download, configure, test and deploy the attached Workflow Template.  Although the template is built to run as is, you can modify the project in workflow to meet the unique process and goals of our organization.

Zero Day Patch Image.jpg

 

 

Video Upload: 

Comments 17 CommentsJump to latest comment

Frank Fleming's picture

Very nice Jason - thanks !

Frank Fleming - VP Sales, Operations & Consulting

ExpressAbility (www.expressability.com)

Symantec Master Specialists (Altiris, Endpoint Mgmt & Security, Mobility)

0
Login to vote
skhs's picture

Hi Jason, I am not good with workflow, and need some help with this workflow, once policies are created and emial is sent, can we have another approval process that will add the other targets based on the response by applciation owner. 

For example policies are created and tested on the test target, now we want to add other targets but based on which team have tested, how can this be completed. I am hoping the end user can go on a console and click click on check mark next to thier targets and that be added?

0
Login to vote
Pascal KOTTE's picture

Thanks a lot; I was seeing this feature inside the "What's new under 7.5" but was absolutly not able to find it after installing 7.5, reading all patch doc manuals, or try to find it under Connect, any 7.5 patch area or CMS or SMS, I was not able to find any about this Workflow.

I was not thinking about installing 1st the workflow designer; and latest going a look inside this nice "solution center" I was not know before... That's why I was thinking a false promess of Symantec. Happy to see I was wrong. 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
skhs's picture

I guess you are not that much wrong Pascal, as I think this is just a workflow outside of Symantec product release, meaning it might not ( I could be worng here too :) be supported by support. But it gives you a very good start on auomating the patch. 

+1
Login to vote
Pascal KOTTE's picture

Good point, you are very right: If not supported from Symantec support, not "part" the SMS or CMS or Patch Solution support, not an "integrated" supported extension...

But I do not see any disclaimer, or EULA, and this Workflow published accessible from "Workflow Manager", part of the solution. So legaly, they forgot to "exclude" it from support explicitly, and so, it should be part of the solution. Of course; if support refuse the case opening; the support will takes some additional time and cost; to be fulfilled; after a legal pursuit and so on ;)

I will try this, and open a case if I got an issue... We'll see if I got one ;)

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

Any body know what is the Application property "Age_filter"; with default '15' value not explain in the PDF :(

I guess about 15 days old maximum for activation and processing ? But not sure about :)

If it is; we should extend it for a start; with older bulletin to be auto-activated?

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

And what about the Ludovic tools ?

and about this more light and simple option ?

was initialy design for 7.0 but perhaps reusable for 7.5? But probably less features :) OK just joking. But... ?

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

I wanted to verify the workflow able to process only "missing" and "applicable" Bulletins, not "all" including useless ones...

And also: if able to avoid requesting to edit each policy manualy; to add the pilot2 goup; and another time for PROD1 group; and a 3rd time the PROD2 final group in addition. As we must deploy "by wave", for validation steps: It is absolutly required being able to associate all those automated policies, to a single "editable" target, so we can swtich all the policies; to next wave level with a single simple change. NOT needing to edit each 30 to 60 or more policies; to add the additionnal wave targets. If you deploy in 4 waves: this will ask for about 120 to 240 "edit" operations per month on this so "quick answering" Altiris web console (just joking about "quick")...

I feel we will have to create a new "Named target" each month, and edit the GUID inside the DATA/Application properties: "Zero Day Patch settings". So we will be able to edit and change a single "Named target" 4 times, for extending each week; the additionnal targets with the next wave of computers to deploy patches this month... Instead of editing 30 policies or more, 4 times ;-)

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

Well: Email notify

Error Message: The request failed with HTTP status 404: Not Found.
 
Stack Trace: at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at PatchWorkflowSvcDynamicService.PatchWorkflowSvc.EnsureStaged(String bulletinGuids, Boolean sync) at PatchWorkflowSvcDynamicService.EnsureStaged.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)
 
Report Process ID: Patch-0Day-001007
 
Model ID: 7e82176f-0fe0-11e2-85c7-005056a27acc
 
Last Component: Ensure Staged
Workflow logs:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:50 AM
Log Level :Error
Log Category :LogicBase.ExecutionEngine.Delegates
Machine Name : TMS1
Message : 
the component Setup Process declares that it outputs variable [PolicyName] of typeString but did not.  
followed by:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:52 AM
Log Level :Error
Log Category :PatchWorkflowSvcDynamicService.EnsureStaged
Machine Name : TMS1
Message : 
Exception at Run method with message :The request failed with HTTP status 404: Not Found.
Finishing with:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:52 AM
Log Level :Error
Log Category :LogicBase.ExecutionEngine
Machine Name : TMS1
Message : 
Exception was thrown from the exception handling model in project.
 
Does an installed service desk is a requirement ? Because I do not have, and so PDF told about "Tickets" I don't have... 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

The URL setup is not answering:

http://tms1.itsm.demo/patchmanagementcore/patchwor...

Server Error in '/' Application.

--------------------------------------------------------------------------------
 
The resource cannot be found. 
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly. 
 
Requested URL: /patchmanagementcore/patchworkflowsvc.asmx/Default.aspx
 
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.5477; ASP.NET Version:2.0.50727.5479 
All the same; the page seems there...
Capture.PNG
 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture
I also try to switch https to http; same issue... Here the settings I was using.
 
Zero Day Patch Settings        
Category: Not Set 
IsDefault True 
InstanceName Default 
Category: Configuration 
Enable_New_Policy_After_Creation True 
Resource_Targets_To_Apply_To_Policy 25353043-FA7D-4B25-A416-9237EEC2B156
 
Category: Connection 
PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx 
Symantec_CMDB_ConnectionString Data Source=(local);Initial Catalog=Symantec_CMDB;Integrated Security=SSPI; 
Category: Email 
Email_Server 192.168.100.10 
Email_To_Address service.altiris@itsm.demo 
Email_From_Address PatchZeroDay.tms1@itms.demo 
Category: Filter Settings 
Age_Filter 15 
Ignore_Bulletins_With_Policies True 
Ignore_Staged_Bulletins False 
Vendor_Filter 00000000-0000-0000-0000-000000000000
 
Platform_Filter Any 
Severity_Levels_To_Analyze Critical
Important
Unclassified
 
So I will perhaps needing to test if "Symantec support" will support this; or not :)
 
 
 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

Must also say; Workflow installed with a domain service account; was needing to change the Application pool Identity for Process Manager to run using "NETWORK SERVICE" for Portal process manager able to open. But NETWORK SERVICE has the right on Patch also, this service account is also the Altiris server service account. I added the rights on windows\temp, and framework folders...

I also try opening with domain admin account; same error.

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Roman Vassiljev's picture
Hello Pascal KOTTE,
 
Any body know what is the Application property "Age_filter"
 
I think it is a number of Days Backward to look for bulletins. In other words only bulletins released during last N days(N is value of Age_Filter) will be used in this process.
 
I also try to switch https to http; same issue... Here the settings I was using.
PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx 
 
It looks like PatchWorkflowSvcURL is mistyped in your settings. I guess http://tms1.itsm.demo/altiris/patchmanagementcore/patchworkflowsvc.asmx should work.
 
Thanks,
Roman
 
0
Login to vote
Richard_Combes's picture

Hi Pascal,

Keep us updated on how this is going for you, I got this working in my lab and have a few tips to help along the way.

1) When you test the workflow by running the debug, it should run through, enable the policy but then the workflow will start again, This is because the workflow is set to "autorun" and in a live environment this is kicked off at a certain time and will only run once. So be sure to not let the workflow continually run in debug mode or you will have lots of policys and a server slowdown. In fact close it after letting it run through twice and you should have the following as a result.

  • An email stating the patches enabled / a policy with the patches enabled targetting your specific target
  • A second email stating that there were no patches to install from the second run of the workflow (provided you set the setting below)

There is a setting in the config page to "ignore staged policys" or something similar (I dont have access to a console right now to tell you the exact setting wording) so basically it does not duplicate policys.

Hope this helps

 

Rich

 

0
Login to vote
Hendrik Dijkstra's picture

Hello,

Because I wasn't able to install Process Manager on my workflow server, I had to disable the application properties. I have 'converted' the application properties to global properties and that works fine. It's a bit less flexible, but for us still very acceptable. I obviously also changed all the components which were using values from the application properties and when I run the workflow in debugger, I get exactly the result that I expect. Currently the result is that I get an email telling that no bulletins were available and all the variables in the email are filled with correct data.

Now the problem ...... once I publish the workflow, it will not send any emails anymore. Besides, I cannot really check if it has been running on the defined schedule so I have no clue if it has been running on the schedule. That's one of the nice features of Process Manager, but not available for me at this point.

Is there anyone out there who knows why email works when running the workflow in debugger and why it doesn't if it's published?

And then it would be also nice if I could somehow trace if the workflow has been running.

I published the workflow on my workflow server, which is a different one than the SMP server but that shouldn't make a difference, should it?

Any input is very welcome.

Hendrik

0
Login to vote
HarrisT's picture

Try putting a "Create Log Entry" component at the very beginning of your Workflow, and set the logging level to "Fatal". Then save/publish the workflow and open your Log Viewer. You will be able to see your log entry component write a fatal error to the logs. This is a great way to confirm whether the Workflow ran or not.

0
Login to vote
Hendrik Dijkstra's picture

Thanks for your comment Harris. Eventually you put me on track with this. It happened to be that the workflow was crashing when it reached the stage where it needed to send the email. As I explained already, I needed to convert the application properties to global properties because we do not have the process manager installed in our environment. It seems that when a workflow is published, for some reason it cannot correctly handle some of the global variables. After I converted the global variables which were related to email to project properties, it started to work.

I will definitely start looking at implenting the process manager as for this purpose I see a lot of benefits there.

Well .... at least for now this is working, but I may need to convert the variables again at some point to application properties smiley

0
Login to vote