To proactively enhance the security of our online update services, Check Point will gradually migrate certificates on its servers from SHA-1 based to SHA-256 based starting in June 2016 (with a major migration in October 2016) and ending in November 2016.
Important Note: If the required packages are not installed by that time, Check Point Software on your machine will fail to communicate with Check Point online download / upload services once the certificates migration process is completed.
Check Point online download / upload services are used by Check Point software for:
downloading of signature updates / protections
verification of license information
uploading of data to Check Point User Center / Check Point Cloud
The following software blades, products and features use Check Point online services:
Refer to section "(3) Solution for Check Point online upload service".
Check Point highly recommends installing the required packages to maintain the functionality of the aforementioned online services. Otherwise, communication issues similar to these will occur:
Blade / Feature
Communication issue
IPS online update
IPS Dynamic Update window would show:
x Connecting to Check Point Download Server
The Check Point download server is unable to service the request at this time.
Note: Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.
Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS and Proxy).
Example:
SmartUpdate online update
SmartUpdate GUI would show:
Problem with local certificate
Example:
License activation in First Time Configuration Wizard on Check Point Appliance
On versions R77.20 and lower, automatic license activation cannot be performed during First Time Configuration Wizard without the required hotfix. To activate your Check Point Appliance:
Complete the First Time Configuration Wizard
Install the required hotfix
Connect to operating system GUI on Check Point Appliance and pull the license from the Check Point User Center:
Gaia Portal - go to Maintenance section - click on License Activation page - click on Get License
Note: The recommended way of applying licenses is by using SmartUpdate.
CPinfo file upload
CPinfo file upload would fail:
[Expert@HostName:0]# ./cpinfo -nf test.log You have requested option n, without any argument. You have requested option f, with argument test.log.
This is Check Point CPinfo Build xxx for GAIA
Please provide an SR number:28-12345678
Uploading (using proxy)...
Initiating connection to User Center: Failed to connect Warning: Failed connecting to User Center (Please check that User Center is accessible on https service)
Example:
Check Point Uploader file upload
File upload in CLI-based Check Point Uploader would fail:
[Expert@HostName:0]# ./cp_uploader -u username@checkpoint.com test_file.txt Password: Initiating connection to User Center: Error: Failed connecting to User Center (Please check that port 443 is open) [Expert@HostName:0]#
File upload in GUI-based Check Point Uploader would fail:
"Upload Result Notification" pop-up would show:
Operation not completed!
"Log" section would show:
Error: Failed connecting to User Center
(2) Required packages for Check Point online download service
(2-A) Which versions already contain this fix?
Note: For customers using online download services in SmartDashboard or SmartUpdate version R77.20 and below, and R80 specifically, an improved SmartConsole for download service is required.
Product / Blade / Feature
Support for SHA-256 certificates for download services is integrated since
Security Gateway / Cluster / VSX / Management Server / Log Server
(2-B) Hotfix packages for Check Point online download service
Note: For customers using online services in SmartDashboard (such as IPS blade updates), or SmartUpdate versions R77.20 and below, and R80 specifically, an improved SmartConsole for download service is required as well.
This hotfix package can be installed without rebooting the machine.
This hotfix package is applicable only to R77.20 GA on Gaia OS.
At the end of the installation, the "cpstart" command is executed automatically.
On Multi-Domain Server, user is prompted to reboot the machine. Ignore this message and run the "mdsstop;mdsstart" commands.
This hotfix also includes an enhancement for HTTPS Inspection: certificates generated by the Security Gateway will be signed by the same signing algorithm (SHA-256/SHA-1) as the original server certificate, and not only by SHA-1 algorithm (as was done until now).
This hotfix is already integrated into R77.10 take-045.01 for AWS.
Connect to the Gaia Portal on your Check Point machine.
Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
Click on Status and Actions page.
Select the hotfix package <Version> Hotfix for sk103839 ... - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select the hotfix package - click on Install Update button on the toolbar.
Reboot is required.
Download and install the improved SmartConsole from the table above.
Online installation in Gaia Clish
Connect to the command line on your Check Point machine.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Check the available packages: Note: Refer to the top section "Hotfixes" - refer to "<Version> Hotfix for sk103839..." HostName:0> show installer packages available-for-download
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Download the hotfix package from the Check Point Cloud: HostName:0> installer download <Package_Number>
Show the downloaded packages: HostName:0> show installer packages downloaded
Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Reboot is required.
Download and install the improved SmartConsole from the table above.
Offline installation in Gaia Portal
Install the latest build of CPUSE Agent from sk92449.
Download the CPUSE Offline package from the table above to your computer.
Connect to the Gaia Portal on your Check Point machine.
Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
Click on Status and Actions page.
On the toolbar, click on the More button and select Import Package.
In the Import Package window, click on Browse... - select the CPUSE offline package - click on Upload.
Click on the filter button near the "Help" icon and select All.
Select the imported hotfix package <Version> Hotfix for sk103839 ... - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select the imported hotfix package - click on Install Update button on the toolbar.
Reboot is required.
Download and install the improved SmartConsole from the table above.
Offline installation in Gaia Clish
Install the latest build of CPUSE Agent from sk92449.
Download the CPUSE Offline package from the table above to your computer.
Transfer the offline package to your Check Point machine (into some directory, e.g., /some_path_to_hotfix/).
Connect to the command line on your Check Point machine.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: Note: When import completes, this package is deleted from the original location. HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "<Package_File_Name>" HostName:0> show installer packages imported
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Reboot is required.
Download and install the improved SmartConsole from the table above.
Download the relevant hotfix package from the table above and transfer it to the machine.
Unpack and install the hotfix: [Expert@HostName]# tar -zxvf Check_Point_Hotfix_<VERSION>_Linux_sk103839.tgz [Expert@HostName]# ./UnixInstallScript Notes:
The script will stop all of Check Point services ('cpstop') - read the output on the screen.
To install the package "R77.20 for Gaia without reboot", run: [Expert@HostName:0]# ./fw1_wrapper_<HOTFIX_NAME> Reboot is not required - at the end of the installation, the "cpstart" command is executed automatically.
Reboot is required (except for "R77.20 for Gaia without reboot" package).
Download and install the improved SmartConsole from the table above.
Download the relevant hotfix package from the table above and transfer it to your Check Point machine.
Unpack and install the hotfix: HostName[admin]# tar -zxvf Check_Point_Hotfix_<VERSION>_IPSO_sk103839.tgz HostName[admin]# ./fw1_wrapper_<HOTFIX_NAME> Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Reboot is required.
Download and install the improved SmartConsole from the table above.
Download the relevant hotfix package from the table above, transfer the hotfix package to the machine.
Use any archive program (WinZIP, WinRAR, 7-Zip, TUGZip, IZArc) to unpack the Check_Point_Hotfix_<VERSION>_Win_sk103839.tgz file.
Open the Disk_Images folder.
Open the Disk1 folder.
Right-click on the setup.exe file - click on Run as administrator. Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Reboot is required.
Download and install the improved SmartConsole from the table above.
To uninstall the standard CPUSE package that requires reboot:
In Gaia Portal:
Connect to the Gaia Portal on your Check Point machine.
Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
Click on Status and Actions page.
Click on the filter button near the "Help" icon and select Installed.
Right-click on the hotfix package <Version> Hotfix for sk103839 ... - select Uninstall.
Reboot is required.
In Gaia Clish:
Connect to the command line on your Check Point machine.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Uninstall the package <Version> Hotfix for sk103839 ...: HostName:0> installer uninstall <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Reboot is required.
To uninstall the CPUSE package for R77.20 that did not require a reboot:
In Gaia Portal:
Connect to the Gaia Portal on your Check Point machine.
Navigate to Upgrades (CPUSE) section.
Click on Status and Actions page.
In the menu near the "Help" icon, select Installed.
Right-click on the hotfix package R77.20 Hotfix for sk103839 ... - select Uninstall
Reboot is not required.
In Gaia Clish:
Connect to the command line on your Check Point machine.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Uninstall the package R77.20 Hotfix for sk103839 ...: HostName:0> installer uninstall <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Go to /opt/CPsuite-R77/ directory: [Expert@HostName:0]# cd /opt/CPsuite-R77/
Execute the uninstall script: [Expert@HostName:0]# ./uninstall_HOTFIX_R77_20_HF_SHA256 Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it: [Expert@HostName:0]# tar -zxvf Check_Point_Hotfix_<VERSION>_Linux_sk103839.tgz
Execute the uninstall script: [Expert@HostName:0]# ./UnixInstallScript -u Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Improved CPinfo package (Build 914000164) is integrated in the following new R77.30 images:
for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation appliances released on December 16th, 2016
for 2200 / 4000 / 12000 / 13000 / 21000 / Threat Emulation / Smart-1 / UTM-1 / Power-1 / IP Series / Open Servers released on December 27th, 2016
Note: The improved CPinfo package not only supports SHA-256 certificates, but also integrates the functionality of the standalone Check Point Uploader utility (sk84000 / sk108152), which becomes deprecated starting in October 2016.
Improved CPUSE Agent package (Build 1130) is integrated in the following new R77.30 images:
for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation appliances released on December 16th, 2016
for 2200 / 4000 / 12000 / 13000 / 21000 / Threat Emulation / Smart-1 / UTM-1 / Power-1 / IP Series / Open Servers released on December 27th, 2016
(3-C) Improved GUI-based CPUploader package
Improved GUI-based CPUploader utility was released on November 20th, 2016 as an integral part of the CPinfo utility package for Windows OS. Follow the instructions in sk108152.
Check Point machines, on which this hotfix was not installed, will not be able to connect to Check Point servers and perform operations like signatures updates (IPS blade, Anti-Virus blade, other blades), Licensing, Contracts, etc. - refer to this section.
This hotfix is intended for each machine individually. It does not affect the communication between Security Management Server / Multi-Domain Security Management Server and the managed Security Gateways. Meaning, you can install this hotfix on a Security Management Server, and after some time install it on the managed Security Gateways.
Some hotfixes replace the same files. In cases where a private hotfix provided by Check Point Support is installed, there might be a conflict between the hotfixes, and hotfix installation will be aborted with specific message about what fixes exactly conflict with each other.
Contact Check Point Support to get a combined Hotfix that contains all the required fixes for your Check Point machine For faster resolution and verification, please provide the following:
Specific message about what fixes conflict with each other
The improved SmartConsole is required to be able to work with Check Point servers - operations like signatures updates (IPS blade, Anti-Virus blade, other blades), Licensing, Contracts, etc.
The previously released R77.20 "regular" hotfix contains all the previously released R77.20 recommended hotfixes. One of such integrated R77.20 recommended hotfixes requires reboot.
The fix for SHA-256 certificates is only a user space library file and installing it does not require reboot.
A "lighter" hotfix package was created for R77.20 Gaia that includes only the fix for SHA-256 certificates to allow installing the required SHA-256 fix without rebooting the machine.
This "lighter" hotfix package should not conflict with other hotfix packages that might already be installed on the R77.20 Gaia machine:
If other hotfix packages are already installed on the R77.20 Gaia machine, then you should be able to easily install this "lighter" hotfix package on top of them.
If this is a cleanly installed R77.20 Gaia (without any hotfixes), then you can easily install this "lighter" hotfix package, and later you should be able to install other desired hotfix packages on top of it (however, other hotfix packages will require a reboot).
In case any conflict between the hotfixes is detected, the installation will automatically be aborted with relevant explanation that mentions the conflicting hotfixes. Contact Check Point Support with this information. For faster resolution and verification, please also collect CPinfo files from the Security Management Server and Security Gateways involved in the case.
Transfer the collected CPinfo file to the same machine (that runs on Gaia / SecurePlatform / Linux / IPSO OS) where you transferred the package with a special shell script.
Unpack the CPinfo file:
# gzip -d -v <CPinfo_File>.cpinfo.gz
Unpack the package with a special shell script:
# tar xvf sha256_check.tar
Assign the execute permissions to the shell script:
# chmod u+x sha256_check.sh
Execute the script (requires absolute path to the CPinfo file):
Instructions for Security Gateway / Security Management Server
After installing the hotfix and rebooting, run the following command on your machine with an Internet connection and configured DNS servers (Important Note: HTTPS Inspection should be disabled on the Security Gateway):
In R77 and above: [Expert@HostName]# curl_cli --verbose --cacert $CPDIR/conf/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com
In R76 and lower: [Expert@HostName]# curl_cli --verbose --cacert $FWDIR/bin/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com
If the connection succeeds, then everything works correctly (see example below).
If an error message appears, then contact Check Point Support for assistance. For faster resolution and verification, please provide:
Output of the above "curl_cli" command
CPinfo file from the involved Security Management Server
Example of successful connection to Check Point server:
You should see the following in the end:
* Server certificate:
* subject: C=US, ST=California, L=San Carlos, O=Check Point Software Technologies Inc., OU=US MIS, CN=supportcenter.checkpoint.com
* start date: 2015-06-02 00:00:00 GMT
* expire date: 2017-06-02 23:59:59 GMT
* subjectAltName: supportcenter.checkpoint.com matched
* issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
* SSL certificate verify ok.
* servercert: Finished
< HTTP/1.1 302 Found
< Date: Wed, 14 Oct 2015 11:51:27 GMT
< Server: SAP J2EE Engine/6.40
< location: https://supportcenter.checkpoint.com/supportcenter/index.jsp
< content-length: 0
< Via: 1.1 supportcenter.checkpoint.com (Apache/2.2.27)
< Content-Type: text/plain
Instructions for Small Business appliances (600 / 700 / 1100 / 1200R / 1400)
Firmware R75.20.70 (or higher) and R77.20 GA (or higher) contain this fix.
Due to its size, the curl_cli binary file was excluded from firmware image.
Therefore, to use the above instructions for Security Gateway / Security Management Server, contact Check Point Support to get the curl_cli binary file. A Support Engineer will make sure the file is compatible with your appliance before providing it. For faster resolution and verification, please collect CPinfo file from the SMB appliance involved in the case.
Transfer the curl_cli binary file that you received from Check Point Support to the appliance - to the /storage/ partition.
Connect to the command line on the appliance.
Log in to Expert mode.
Transfer the curl_cli binary file to /opt/fw1/bin/ directory:
Run the following command on the appliance with an Internet connection and configured DNS servers (Important Note: HTTPS Inspection should be disabled on the Security Gateway):
On versions R77.20 and lower, automatic license activation cannot be performed during First Time Configuration Wizard without the required hotfix. To activate your Check Point Appliance:
Complete the First Time Configuration Wizard
Install the required hotfix
Connect to operating system GUI on Check Point Appliance and pull the license from the Check Point User Center:
Gaia Portal - go to Maintenance section - click on License Activation page - click on Get License
Section "Required packages for Check Point online upload service" - updated the note that improved built-in CPinfo package is integrated in the Endpoint Security Client E80.65 released on February 19th, 2017
19 Jan 2017
Improved the design on this article
27 Dec 2016
Section "Required packages for Check Point online download service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 image released on December 27th, 2016
Section "Required packages for Check Point online download service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 image released on December 27th, 2016
Section "Required packages for Check Point online upload service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 image released on December 27th, 2016
Section "Required packages for Check Point online upload service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 image released on December 27th, 2016
16 Dec 2016
Section "Required packages for Check Point online download service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 images released on December 16th, 2016
Section "Required packages for Check Point online download service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 images released on December 16th, 2016
Section "Required packages for Check Point online upload service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 images released on December 16th, 2016
Section "Required packages for Check Point online upload service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 images released on December 16th, 2016
Section "Required packages for Check Point online upload service" - added a note that GUI-based CPUploader utility was released on November 20th, 2016 as an integral part of the CPinfo utility package for Windows OS
14 Dec 2016
Section "Required packages for Check Point online download service" - corrected the note that the relevant fix is integrated into Jumbo Hotfix Accumulator for R77.20 - since Take_91 (instead of Take_77)
20 Nov 2016
Section "Required packages for Check Point online download service" - improved R80 SmartConsole is now available.
Section "Required packages for Check Point online upload service" - improved R80 SmartConsole is now available.
25 Oct 2016
Section "Background" - added Endpoint Security Client's built-in CPinfo to the list of products that use online upload service.
Section "Required packages for Check Point online upload service" - added explanation about Endpoint Security Client's built-in CPinfo.
17 Oct 2016
Section "Required packages for Check Point online download service" - improved the explanations and instructions.
Section "Required packages for Check Point online upload service" - improved the explanations and instructions.
13 Oct 2016
Section "Required packages for Check Point online download service" - improved CPSizeMe utility is now available (v3.4 and above).
12 Oct 2016
Section "Background" - added Check Point Uploader to the list of products that use online upload service.
Section "Background" - added an example of CPUploader file upload failure.
Section "Required packages for Check Point online upload service" - added explanation about GUI-based CPUploader.
05 Oct 2016
Section "Required packages for Check Point online download service" - improved CPinfo utility is now available (Build 914000164 and above).
Section "Required packages for Check Point online download service" - added explanation about CPUSE Agent.
Section "Required packages for Check Point online upload service" - added explanation about CPUSE Agent.
Section "Required packages for Check Point online upload service" - added explanation about CPSizeMe.
02 Oct 2016
Section "Required packages for Check Point online upload service" - improved CPinfo utility is now available (Build 914000164 and above).
29 Sep 2016
Section "Background" - added an example of Threat Emulation engine online update failure.
Section "Required packages for Check Point online download service" - updated the Threat Emulation engine version.
26 Sep 2016
Section "Background" - clarified the time line for migration of certificates (started in June 2016, will end in Nov 2016).
25 Sep 2016
Section "Background" - updated the time line for migration of certificates from "Q4 2016" to "October 2016".
Section "Background" - improved explanations.
Merged section "Solution" and section "Hotfixes" under the title "Required packages for Check Point online download service".
Added section "Solution for Check Point online upload service".
22 Sep 2016
Section "Background" - updated the time line for migration of certificates from "June 2016" to "Q4 2016".
06 June 2016
Section "Hotfixes" - improved instructions.
Section "FAQ" - added a question about license activation in First Time Configuration Wizard on Check Point Appliance.
05 June 2016
Section "Background" - added examples of online update failures.
01 June 2016
Section "Background" - added an example of IPS online update failure.
14 Apr 2016
Section "FAQ" - added a note about verification of SHA-256 being supported on SMB appliances.
23 Mar 2016
Section "Additional Products" - added "OPSEC SDK 3rd Party Clients".
22 Feb 2016
Section "Background" - updated the time line for gradual migration of certificates from "during June 2016" to "starting June 5th, 2016".
12 Jan 2106
Section "Hotfix Uninstall Instructions" - added the uninstall instructions for Gaia OS package that was installed without reboot.
11 Jan 2106
Section "Background" - updated the time line for gradual migration of certificates from "February 2016" to "June 2016".
Section "Solution" - added Jumbo Hotfix Accumulators and relevant Takes, in which the fix is included.
27 Oct 2015
Added section "Related Solutions".
20 Oct 2015
Section "Background" - updated the time line for gradual migration of certificates from "November 2015" to "February 2016".
15 Oct 2015
Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - added an example of successful connection to Check Point server.
14 Oct 2015
Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - added a note that HTTPS Inspection has to be disabled on the Security Gateway.
12 Oct 2015
Section "FAQ" - added a question about which hotfix should be installed (hotfix from this SK, specific Take of a Jumbo Hotfix Accumulator, a combined hotfix is needed, etc.?).
11 Oct 2015
Section "Solution" - the fix is also included in Data Center Security Appliances R76SP.20.
Section "Additional Products" - updated status of "61000 / 41000 Security Systems".
Section "Additional Products" - updated status of "DDoS Protector appliance".
Section "Additional Products" - updated status of "LOM card on Check Point appliances".
Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - clarified commands.
08 Oct 2015
Section "Hotfixes" - clarified installation instructions for package "R77.20 for Gaia without reboot".
06 Oct 2015
Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - clarified commands.
16 Sep 2015
Section "Solution" - added clarification, that hotfix can be provided only for supported versions.
15 Sep 2015
Section "Additional Products" - added "DDoS Protector appliance" and "LOM card on Check Point appliances" (information will be added soon).
09 Sep 2015
Section "FAQ" - added a question about how to verify that the hotfix was installed and SHA-256 is supported.
28 July 2015
Section "Solution" - the fix is also included in Endpoint Security Server E80.61 / R77.20.01.
22 July 2015
Section "Additional Products" - added firmware R75.20 HFA 70 (R75.20.70) for 600 / 1100 Appliance and Security Gateway 80.
21 July 2015
Section "Additional Products" - added firmware 8.2.77 for UTM-1 Edge N and Safe@Office 1000.
16 July 2015
Section "FAQ" - added a question about Offline Updates.