Support Center > Search Results > SecureKnowledge Details
Check Point update and online services migration to SHA-256 based certificates
Solution

Table of Contents:

  1. Background
  2. Solution for Check Point online download service
    1. Which versions already contain this fix?
    2. Hotfix packages for Check Point online download service
    3. Hotfix Installation Instructions
    4. Hotfix Uninstall Instructions
  3. Solution for Check Point online upload service
    1. Improved CPinfo package
    2. Improved CPUSE Agent package
    3. Improved GUI-based CPUploader package
    4. Improved CPSizeMe package
    5. Improved SmartConsole package
    6. Improved Endpoint Security Client's built-in CPinfo
  4. Additional Products
  5. FAQ
  6. Related Solutions
  7. Revision History

 

Click Here to Show the Entire Article

 

(1) Background

To proactively enhance the security of our online update services, Check Point will gradually migrate certificates on its servers
from SHA-1 based to SHA-256 based starting in June 2016 (with a major migration in October 2016) and ending in November 2016.

Important Note: If the required packages are not installed by that time, Check Point Software on your machine
will fail to communicate with Check Point online download / upload services once the certificates migration process is completed.

Check Point online download / upload services are used by Check Point software for:

  • downloading of signature updates / protections
  • verification of license information
  • uploading of data to Check Point User Center / Check Point Cloud

The following software blades, products and features use Check Point online services:

Download service is used by Upload service is used by
  • Software Blades:
    • IPS (signatures)
    • Application Control (applications)
    • URL Filtering (URLs)
    • Threat Emulation (engine self-update)
    • Anti-Virus (signatures)
    • Anti-Bot (signatures)
    • Anti-Spam (signatures)
    • HTTPS Inspection (Trusted CAs, blocked certificates)
    • Endpoint Security On Demand (ESOD)
  • CPUSE on Gaia OS (packages, self-update) (sk92449)
  • CPinfo (self-update) (sk92739)
  • SmartUpdate (packages, licenses)
  • License operations and Contract updates

Refer to section "(2) Solution for Check Point online download service".

  • CPinfo (file upload) (sk92739)
  • CPUSE on Gaia OS (upload of package installation failures) (sk92449)
  • Check Point Uploader - CLI-based (sk84000)
  • Check Point Uploader - GUI-based (sk108152)
  • CPSizeMe (sk88160) on R77.20
  • SmartDashboard:
    • "Sync with UserCenter" feature (sk94064)
    • Opening a Service Request (sk97748)
    • Sending crash reports
    • R80 Demo error reports
  • SmartUpdate:
    • Upload diagnostics (CPinfo)
  • Endpoint Security Client's built-in CPinfo (file upload) (sk90445)

Refer to section "(3) Solution for Check Point online upload service".

Check Point highly recommends installing the required packages to maintain the functionality of the aforementioned online services.
Otherwise, communication issues similar to these will occur:

Blade / Feature Communication issue
IPS
online update

IPS Dynamic Update window would show:

x Connecting to Check Point Download Server

The Check Point download server is unable to service the request at this time.

Example:
Anti-Bot,
Anti-Virus,
Threat Emulation
online update
  • SmartDashboard - Threat Prevention tab - Gateways pane - Update Status column would show:

    Error in update

    Anti-bot: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://...

    Anti-virus: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://...

    Threat Emulation: Update failed: The Security Gateway cannot download the file.The Security Gateway cannot connect to the Internet.

    Example:
  • SmartDashboard - Threat Prevention tab - Gateways pane - Update Status section in the right pane would show:

    Anti-Bot: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://...

    Anti-Virus: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://...

    Threat Emulation: Update failed: The Security Gateway cannot download the file.The Security Gateway cannot connect to the Internet.

    Example:
Application Control,
URL Filtering
online update
  • SmartDashboard - Application & URL Filtering tab - Gateways pane - Update Status column would show:

    Error in database update

    Application Control: Update failed. Gateway can not access internet ('https://...

    URL Filtering: Update failed. Gateway can not access internet ('https://...

    Example:
  • SmartDashboard - Application & URL Filtering tab - Gateways pane - Application Database Updates section would show:

    Automatic update failed, check Management Server connectivity and proxy settings

    Example:
Threat Emulation
Engine self-update
  • SmartLog / SmartView Tracker log will show (sk113333):

    Threat Emulation update failed, cannot download <Name_of_Component>. Failed running download process.

    Example:
  • SmartView Monitor will show (sk113333):

    Error: Threat Emulation update failed, cannot download JAVA. Failed running download process.

    Example:
CPUSE
online update

CPUSE Agent in Gaia Portal would show:

Note: Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.

Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS and Proxy).

Example:
SmartUpdate
online update

SmartUpdate GUI would show:

Problem with local certificate

Example:
License activation
in First Time
Configuration
Wizard
on Check Point
Appliance

On versions R77.20 and lower, automatic license activation cannot be performed during First Time Configuration Wizard without the required hotfix.
To activate your Check Point Appliance:

  1. Complete the First Time Configuration Wizard

  2. Install the required hotfix

  3. Connect to operating system GUI on Check Point Appliance and pull the license from the Check Point User Center:

    • Gaia Portal - go to Maintenance section - click on License Activation page - click on Get License

      (refer to R77 versions Gaia Administration Guide - Chapter "Maintenance" - section "License Activation")
    • SecurePlatform WebUI - go to Product Configuration section - click on Licenses page - click on Check Point User Center link

      (refer to R77 versions SecurePlatform Administration Guide - Chapter 4 "Configuration Using the Web Interface" - section "Product Configuration" - subsection "Licenses")
  4. Note: The recommended way of applying licenses is by using SmartUpdate.

CPinfo
file upload

CPinfo file upload would fail:

[Expert@HostName:0]# ./cpinfo -nf test.log
You have requested option n, without any argument.
You have requested option f, with argument test.log.

This is Check Point CPinfo Build xxx for GAIA

Please provide an SR number:28-12345678

                Uploading (using proxy)...

Initiating connection to User Center: Failed to connect
Warning: Failed connecting to User Center (Please check that User Center is accessible on https service)
Example:
Check Point
Uploader
file upload
  • File upload in CLI-based Check Point Uploader would fail:

    [Expert@HostName:0]# ./cp_uploader -u username@checkpoint.com test_file.txt
    Password:
    Initiating connection to User Center: Error: Failed connecting to User Center (Please check that port 443 is open)
    [Expert@HostName:0]#
  • File upload in GUI-based Check Point Uploader would fail:

    • "Upload Result Notification" pop-up would show:

      Operation not completed!
    • "Log" section would show:

      Error: Failed connecting to User Center

 

(2) Required packages for Check Point online download service

(2-A) Which versions already contain this fix?

Note: For customers using online download services in SmartDashboard or SmartUpdate version R77.20 and below, and R80 specifically, an improved SmartConsole for download service is required.

Product / Blade / Feature Support for SHA-256 certificates
for download services is integrated since
Security Gateway / Cluster / VSX /
Management Server / Log Server
SmartConsole for download service
41000 / 61000 Security Systems
vSEC Gateway
600 / 700 / 1100 / 1200R / 1400 appliances
running R77.20.X firmware image
600 / 1100 / Security Gateway 80 appliances
running R75.20.X firmware image
Threat Emulation Engine
UTM-1 Edge N / Industrial
Safe@Office 1000
CPUSE Agent
  • Build 1005 (released 15 June 2016) - refer to sk92449
  • Build 1130 integrated in the new R77.30 images released on December 16th and December 27th, 2016
CPinfo utility
  • Build 914000164 (released 02 Oct 2016) - refer to sk92739
  • Build 914000164 integrated in the new R77.30 images released on December 16th and December 27th, 2016
OPSEC SDK 3rd Party Clients

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Security Management Server / upgrade Multi-Domain Security Management Server / upgrade SmartConsole / upgrade Endpoint Security Server / upgrade vSEC Gateway for NSX / upgrade 600 appliance / upgrade 700 appliance / upgrade 1100 appliance / upgrade 1200R appliance / upgrade 1400 appliance / upgrade Edge / Safe@Office device).

 

(2-B) Hotfix packages for Check Point online download service

Note: For customers using online services in SmartDashboard (such as IPS blade updates), or SmartUpdate versions R77.20 and below, and R80 specifically, an improved SmartConsole for download service is required as well.

In order to download these hotfix packages you will need to have a Software Subscription or Active Support plan.

Version Gaia
CPUSE
Offline
Gaia CLI,
SecurePlatform,
Linux
IPSO Windows Improved
SmartConsole
R80 Not required Not required N/A N/A Install the
improved
SmartConsole
from sk114579
R77.20 for Gaia
without reboot (1)
N/A N/A
R77.20 (2)
R77.10 (2)
R77.10 for AWS (3) N/A N/A N/A
R77 (2)
R76 (2)
R75.47 (2) and

Notes:

  1. This hotfix package can be installed without rebooting the machine.
    • This hotfix package is applicable only to R77.20 GA on Gaia OS.
    • At the end of the installation, the "cpstart" command is executed automatically.
    • On Multi-Domain Server, user is prompted to reboot the machine. Ignore this message and run the "mdsstop;mdsstart" commands.
  2. This hotfix also includes an enhancement for HTTPS Inspection: certificates generated by the Security Gateway will be signed by the same signing algorithm (SHA-256/SHA-1) as the original server certificate, and not only by SHA-1 algorithm (as was done until now).
  3. This hotfix is already integrated into R77.10 take-045.01 for AWS.

 

(2-C) Hotfix Installation Instructions

Show / Hide this section

Notes:

  • Make sure to take a snapshot / backup of your Check Point machine before installing this hotfix.
  • Hotfix has to be installed on all Check Point machines R77.20 and lower (already fully integrated into R77.30).
  • In cluster environment, this procedure must be performed on all members of the cluster.
  • In Management HA environment, this procedure must be performed on both Management Servers.

Instructions:

  • On Gaia OS using CPUSE

    For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE"

    • Online installation in Gaia Portal

      1. Connect to the Gaia Portal on your Check Point machine.
      2. Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
      3. Click on Status and Actions page.
      4. Select the hotfix package <Version> Hotfix for sk103839 ... - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      5. Select the hotfix package - click on Install Update button on the toolbar.
      6. Reboot is required.
      7. Download and install the improved SmartConsole from the table above.
    • Online installation in Gaia Clish

      1. Connect to the command line on your Check Point machine.
      2. Log in to Clish.
      3. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      4. Check the available packages:
        Note: Refer to the top section "Hotfixes" - refer to "<Version> Hotfix for sk103839..."
        HostName:0> show installer packages available-for-download
      5. Verify that this package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      6. Download the hotfix package from the Check Point Cloud:
        HostName:0> installer download <Package_Number>
      7. Show the downloaded packages:
        HostName:0> show installer packages downloaded
      8. Install the downloaded package:
        HostName:0> installer install <Package_Number>
        Note: The progress (in per cent) will be displayed in Clish.
      9. Reboot is required.
      10. Download and install the improved SmartConsole from the table above.
    • Offline installation in Gaia Portal

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Download the CPUSE Offline package from the table above to your computer.
      3. Connect to the Gaia Portal on your Check Point machine.
      4. Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
      5. Click on Status and Actions page.
      6. On the toolbar, click on the More button and select Import Package.
      7. In the Import Package window, click on Browse... - select the CPUSE offline package - click on Upload.
      8. Click on the filter button near the "Help" icon and select All.
      9. Select the imported hotfix package <Version> Hotfix for sk103839 ... - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      10. Select the imported hotfix package - click on Install Update button on the toolbar.
      11. Reboot is required.
      12. Download and install the improved SmartConsole from the table above.
    • Offline installation in Gaia Clish

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Download the CPUSE Offline package from the table above to your computer.
      3. Transfer the offline package to your Check Point machine (into some directory, e.g., /some_path_to_hotfix/).
      4. Connect to the command line on your Check Point machine.
      5. Log in to Clish.
      6. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      7. Import the package from the hard disk:
        Note: When import completes, this package is deleted from the original location.
        HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
      8. Show the imported packages:
        Note: Refer to the top section "Hotfixes" - refer to "<Package_File_Name>"
        HostName:0> show installer packages imported
      9. Verify that this package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      10. Install the imported package:
        HostName:0> installer install <Package_Number>
      11. Reboot is required.
      12. Download and install the improved SmartConsole from the table above.


  • On Gaia / SecurePlatform / Linux OS using Legacy CLI
    1. Download the relevant hotfix package from the table above and transfer it to the machine.
    2. Unpack and install the hotfix:
      [Expert@HostName]# tar -zxvf Check_Point_Hotfix_<VERSION>_Linux_sk103839.tgz
      [Expert@HostName]# ./UnixInstallScript
      Notes:
      • The script will stop all of Check Point services ('cpstop') - read the output on the screen.
      • To install the package "R77.20 for Gaia without reboot", run:
        [Expert@HostName:0]# ./fw1_wrapper_<HOTFIX_NAME>
        Reboot is not required - at the end of the installation, the "cpstart" command is executed automatically.
    3. Reboot is required (except for "R77.20 for Gaia without reboot" package).
    4. Download and install the improved SmartConsole from the table above.


  • On IPSO OS using CLI
    1. Download the relevant hotfix package from the table above and transfer it to your Check Point machine.
    2. Unpack and install the hotfix:
      HostName[admin]# tar -zxvf Check_Point_Hotfix_<VERSION>_IPSO_sk103839.tgz
      HostName[admin]# ./fw1_wrapper_<HOTFIX_NAME>
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.
    4. Download and install the improved SmartConsole from the table above.


  • On Windows OS using CLI
    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine.
    2. Use any archive program (WinZIP, WinRAR, 7-Zip, TUGZip, IZArc) to unpack the Check_Point_Hotfix_<VERSION>_Win_sk103839.tgz file.
    3. Open the Disk_Images folder.
    4. Open the Disk1 folder.
    5. Right-click on the setup.exe file - click on Run as administrator.
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    6. Reboot is required.
    7. Download and install the improved SmartConsole from the table above.


  • Improved SmartConsole for download service
    1. Download the relevant improved SmartConsole for download service from the table above.
    2. Uninstall the current SmartConsole.
    3. Install the improved SmartConsole.

 

(2-D) Hotfix Uninstall Instructions

Show / Hide this section

Note: Names of hotfixes used in this section are given for the hotfixes provided directly in this article (refer to the table above).

Notes:

  • Make sure to take a snapshot / backup of your Check Point machine before uninstalling this hotfix.
  • In cluster environment, this procedure must be performed on all members of the cluster.
  • In Management HA environment, this procedure must be performed on both Management Servers.

Instructions:

  • On Gaia OS using CPUSE

    For detailed uninstall instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

    • To uninstall the standard CPUSE package that requires reboot:

      • In Gaia Portal:

        1. Connect to the Gaia Portal on your Check Point machine.
        2. Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
        3. Click on Status and Actions page.
        4. Click on the filter button near the "Help" icon and select Installed.
        5. Right-click on the hotfix package <Version> Hotfix for sk103839 ... - select Uninstall.
        6. Reboot is required.
      • In Gaia Clish:

        1. Connect to the command line on your Check Point machine.
        2. Log in to Clish.
        3. Acquire the lock over Gaia configuration database:
          HostName:0> lock database override
        4. Uninstall the package <Version> Hotfix for sk103839 ...:
          HostName:0> installer uninstall <Package_Number>
          Note: The progress (in per cent) will be displayed in Clish.
        5. Reboot is required.
    • To uninstall the CPUSE package for R77.20 that did not require a reboot:

      • In Gaia Portal:

        1. Connect to the Gaia Portal on your Check Point machine.
        2. Navigate to Upgrades (CPUSE) section.
        3. Click on Status and Actions page.
        4. In the menu near the "Help" icon, select Installed.
        5. Right-click on the hotfix package R77.20 Hotfix for sk103839 ... - select Uninstall
        6. Reboot is not required.
      • In Gaia Clish:

        1. Connect to the command line on your Check Point machine.
        2. Log in to Clish.
        3. Acquire the lock over Gaia configuration database:
          HostName:0> lock database override
        4. Uninstall the package R77.20 Hotfix for sk103839 ...:
          HostName:0> installer uninstall <Package_Number>
          Note: The progress (in per cent) will be displayed in Clish.
        5. Reboot is not required.


  • On Gaia OS using Legacy CLI - uninstall of the package for R77.20 that did not require a reboot
    1. Go to /opt/CPsuite-R77/ directory:
      [Expert@HostName:0]# cd /opt/CPsuite-R77/
    2. Execute the uninstall script:
      [Expert@HostName:0]# ./uninstall_HOTFIX_R77_20_HF_SHA256
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.


  • On Gaia / SecurePlatform / Linux OS using Legacy CLI
    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
      [Expert@HostName:0]# tar -zxvf Check_Point_Hotfix_<VERSION>_Linux_sk103839.tgz
    2. Execute the uninstall script:
      [Expert@HostName:0]# ./UnixInstallScript -u
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.


  • On IPSO OS using CLI
    1. Execute the uninstall script:
      Version Command to run
      R77.20 HostName[admin]# ./opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_R77_20_HF6IS
      R77.10 HostName[admin]# ./opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_R77_HF_HA10_012
      R77 HostName[admin]# ./opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_R77_HF_BASE_013I
      R76 HostName[admin]# ./opt/CPsuite-R76/uninstall_fw1_wrapper_HOTFIX_GIZMO_HF_BASE_041_060I
      R75.47 HostName[admin]# ./opt/CPsuite-R75.40/uninstall_fw1_wrapper_HOTFIX_FOXX_HF_HA47_069
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    2. Reboot is required.


  • On Windows OS
    1. Go to Control Panel:
      • On Windows 2000 / 2003 - click on Add/Remove Programs
      • On Windows 2008 / Vista / 7 - click on Programs and Features
    2. Select the hotfix - click on Uninstall button:
      Version Hotfix Name
      R77.20 Check Point R77.20_R77_20_HF6W
      R77.10 Check Point R77.10_R77_HF_HA10_012W
      R77 Check Point R77_R77_HF_BASE_013W
      R76 Check Point R76_GIZMO_HF_BASE_041_060I
      R75.47 Check Point R75.47_FOXX_HF_HA47_069
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.

    Alternatively, run the installation program with '-u' flag:

    1. Open the elevated Command Prompt:
      Start - Programs - Accessories - right-click on 'Command Prompt' icon - select 'Run as administrator'.
    2. Navigate to the folder where you unpacked the hotfix package:
      DISK:\> cd "path_to_unpacked_hotfix_package"
    3. Run the installation program with '-u' flag:
      DISK:\path_to_unpacked_hotfix_package\> setup.exe -u
    4. Reboot is required.


  • Improved SmartConsole for download service
    1. Uninstall the current improved SmartConsole.
    2. Install the default SmartConsole from the relevant Home Page (R75.47, R76, R77, R77.10, R77.20).

 

(3) Required packages for Check Point online upload service

(3-A) Improved CPinfo package

  • Improved CPinfo package (Build 914000164 and above) is available in the sk92739 - The CPinfo utility.

  • Improved CPinfo package (Build 914000164) is integrated in the following new R77.30 images:

    • for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation appliances released on December 16th, 2016
    • for 2200 / 4000 / 12000 / 13000 / 21000 / Threat Emulation / Smart-1 / UTM-1 / Power-1 / IP Series / Open Servers released on December 27th, 2016

Note: The improved CPinfo package not only supports SHA-256 certificates, but also integrates the functionality
of the standalone Check Point Uploader utility (sk84000 / sk108152), which becomes deprecated starting in October 2016.

(3-B) Improved CPUSE Agent package

  • Improved CPUSE Agent package (Build 1005 and above) is available in the sk92449 - CPUSE - Gaia Software Updates.

  • Improved CPUSE Agent package (Build 1130) is integrated in the following new R77.30 images:

    • for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation appliances released on December 16th, 2016
    • for 2200 / 4000 / 12000 / 13000 / 21000 / Threat Emulation / Smart-1 / UTM-1 / Power-1 / IP Series / Open Servers released on December 27th, 2016

(3-C) Improved GUI-based CPUploader package

Improved GUI-based CPUploader utility was released on November 20th, 2016 as an integral part of the CPinfo utility package for Windows OS.
Follow the instructions in sk108152.

(3-D) Improved CPSizeMe package

Improved CPSizeMe package (version 3.14) is available in sk88160 - The Check Point Performance Sizing Utility.

Note: Applies only to R77.20

(3-E) Improved SmartConsole package

(3-F) Improved Endpoint Security Client's built-in CPinfo

The improved built-in CPinfo utility (sk90445) is available starting in Endpoint Security Client E80.65.

 

(4) Additional Products

Show / Hide the additional products
Product / Blade / Feature Support for SHA-256 certificates
LOM card on Check Point appliances Not relevant (no services / protections are updated, no license is verified).
DDoS Protector appliance Not relevant (signature updates are manually downloaded from sk102818).
UTM-1 Edge X / W There is no plan to add SHA-256 support for these appliances because support for these appliances ended on 31 May 2015.
Safe@Office 500 There is no plan to add SHA-256 support for these appliances because support for these appliances ended on 31 May 2015.

 

(5) FAQ

Click Here to Show the Entire FAQ
  • What happens if I do not install this hotfix on some of my Check Point machines?
    Check Point machines, on which this hotfix was not installed, will not be able to connect to Check Point servers and perform operations like signatures updates (IPS blade, Anti-Virus blade, other blades), Licensing, Contracts, etc. - refer to this section.


  • Do I have to install this hotfix on all my Check Point machines at the same time?

    This hotfix is intended for each machine individually. It does not affect the communication between Security Management Server / Multi-Domain Security Management Server and the managed Security Gateways.
    Meaning, you can install this hotfix on a Security Management Server, and after some time install it on the managed Security Gateways.

    In addition, refer to Question 1.


  • Is this hotfix compatible with other hotfixes I have installed?

    Some hotfixes replace the same files. In cases where a private hotfix provided by Check Point Support is installed, there might be a conflict between the hotfixes, and hotfix installation will be aborted with specific message about what fixes exactly conflict with each other.

    Contact Check Point Support to get a combined Hotfix that contains all the required fixes for your Check Point machine
    For faster resolution and verification, please provide the following:

    • Specific message about what fixes conflict with each other
    • CPinfo file from the involved Check Point machine


  • Do I have to install the improved SmartDashboard? What does it add?
    The improved SmartConsole is required to be able to work with Check Point servers - operations like signatures updates (IPS blade, Anti-Virus blade, other blades), Licensing, Contracts, etc.


  • What is the impact on the production when installing the no-reboot R77.20 hotfix package instead of the "regular" one?

    The previously released R77.20 "regular" hotfix contains all the previously released R77.20 recommended hotfixes. One of such integrated R77.20 recommended hotfixes requires reboot.

    The fix for SHA-256 certificates is only a user space library file and installing it does not require reboot.

    A "lighter" hotfix package was created for R77.20 Gaia that includes only the fix for SHA-256 certificates to allow installing the required SHA-256 fix without rebooting the machine.

    This "lighter" hotfix package should not conflict with other hotfix packages that might already be installed on the R77.20 Gaia machine:

    • If other hotfix packages are already installed on the R77.20 Gaia machine, then you should be able to easily install this "lighter" hotfix package on top of them.
    • If this is a cleanly installed R77.20 Gaia (without any hotfixes), then you can easily install this "lighter" hotfix package, and later you should be able to install other desired hotfix packages on top of it (however, other hotfix packages will require a reboot).

    In case any conflict between the hotfixes is detected, the installation will automatically be aborted with relevant explanation that mentions the conflicting hotfixes. Contact Check Point Support with this information. For faster resolution and verification, please also collect CPinfo files from the Security Management Server and Security Gateways involved in the case.


  • Are there offline updates available for Software Blades?


  • Was this fix integrated into Jumbo Hotfix Accumulators?

    Yes - fix for online download services was integrated into all known Jumbo Hotfix Accumulators.

    Status update as of 13 July 2015:

    Jumbo Hotfix Accumulator Integration Issue IDs Integrated in
    sk101975 - Jumbo Hotfix Accumulator for R77.20 (R77_20_jumbo_hf) Full
    since
    Take 91
    01526937 Take 51
    01510981 Take 36
    01507672 Take 31
    01563194 Take 91
    sk98285 - Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021) Full
    since
    Take 127
    01639154 Take 127
    01513476 Take 88
    01523791 Take 88
    01604263 Take 116
    sk96192 - Jumbo Hotfix Accumulator for R77 (gulli_hf_base_008) Full
    since
    Take 37
    01639153 Take 37
    01527195 Take 37
    01527193 Take 37
    01606230 Take 37
    sk96191 - Jumbo Hotfix Accumulator for R76 (gizmo_hf_041_050) Full
    since
    Take 61
    01639624 Take 61
    01552671 Take 54
    01547804 Take 50
    01608312 Take 54
    sk95827 - Jumbo Hotfix Accumulator for R75.47 (fiat_hf_base_026) Full
    since
    Take 84
    01640153 Take 84
    01524715 Take 67
    01524713 Take 67
    01570018 Take 76
    sk103121 - Data Center Security Appliances R76SP.10 - Jumbo Hotfix Accumulator Full
    since
    Take 62
    01579733 Take 62
    01513576 Take 62
    01507932 Take 62
    01579728 Take 62
    sk105706 - Data Center Security Appliances R76SP.10_VSLS - Jumbo Hotfix Accumulator Full
    since
    Take 15
    01579733 Take 15
    01513576 Take 15
    01507932 Take 15
    01579728 Take 15


  • Will this fix be integrated into ISO images?
    Currently, there are no such plans.


  • How can I determine which "SHA-256" hotfix for Check Point online download service should be installed - hotfix from this SK, specific Take of a Jumbo Hotfix Accumulator, a combined hotfix is needed, etc.?
    • Show / Hide instructions if the involved machine runs on Gaia / SecurePlatform / Linux / IPSO OS
      1. Download this package with a special shell script and transfer it to the involved machine.

      2. Collect CPinfo file on the involved machine:

        # cpinfo -o /path_to/<CPinfo_File>.cpinfo

        Note: Do not use the "-z" flag, so that the output file is not compressed.

      3. Unpack the package with a special shell script:

        # tar xvf sha256_check.tar

      4. Assign the execute permissions to the shell script:

        # chmod u+x sha256_check.sh

      5. Execute the script (requires absolute path to the CPinfo file):

        # ./sha256_check.sh /path_to/<UnPacked_CPinfo_File>

        Refer to the instructions on the screen.


    • Show / Hide instructions if the involved machine runs on Windows OS
      1. Download this package with a special shell script and transfer it to a machine that runs Gaia / SecurePlatform / Linux / IPSO OS.

      2. Collect CPinfo file from the involved machine:

        C:\> cpinfo -z -o C:\<CPinfo_File>.cpinfo

      3. Transfer the collected CPinfo file to the same machine (that runs on Gaia / SecurePlatform / Linux / IPSO OS) where you transferred the package with a special shell script.

      4. Unpack the CPinfo file:

        # gzip -d -v <CPinfo_File>.cpinfo.gz

      5. Unpack the package with a special shell script:

        # tar xvf sha256_check.tar

      6. Assign the execute permissions to the shell script:

        # chmod u+x sha256_check.sh

      7. Execute the script (requires absolute path to the CPinfo file):

        # ./sha256_check.sh /path_to/<UnPacked_CPinfo_File>

        Refer to the instructions on the screen.


  • How can I verify that the hotfix for Check Point online download service was installed, and now SHA-256 is supported on my machine?
    • Instructions for Security Gateway / Security Management Server

      After installing the hotfix and rebooting, run the following command on your machine with an Internet connection and configured DNS servers (Important Note: HTTPS Inspection should be disabled on the Security Gateway):

      In R77 and above:
      [Expert@HostName]# curl_cli --verbose --cacert $CPDIR/conf/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com

      In R76 and lower:
      [Expert@HostName]# curl_cli --verbose --cacert $FWDIR/bin/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com

      • If the connection succeeds, then everything works correctly (see example below).
      • If an error message appears, then contact Check Point Support for assistance.
        For faster resolution and verification, please provide:
        • Output of the above "curl_cli" command
        • CPinfo file from the involved Security Management Server
        • CPinfo file from the involved Security Gateway

      Example of successful connection to Check Point server:

      You should see the following in the end:
      * Server certificate:
      * subject: C=US, ST=California, L=San Carlos, O=Check Point Software Technologies Inc., OU=US MIS, CN=supportcenter.checkpoint.com
      * start date: 2015-06-02 00:00:00 GMT
      * expire date: 2017-06-02 23:59:59 GMT
      * subjectAltName: supportcenter.checkpoint.com matched
      * issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
      * SSL certificate verify ok.
      * servercert: Finished
      < HTTP/1.1 302 Found
      < Date: Wed, 14 Oct 2015 11:51:27 GMT
      < Server: SAP J2EE Engine/6.40
      < location: https://supportcenter.checkpoint.com/supportcenter/index.jsp
      < content-length: 0
      < Via: 1.1 supportcenter.checkpoint.com (Apache/2.2.27)
      < Content-Type: text/plain
      
    • Instructions for Small Business appliances (600 / 700 / 1100 / 1200R / 1400)

      Firmware R75.20.70 (or higher) and R77.20 GA (or higher) contain this fix.

      Due to its size, the curl_cli binary file was excluded from firmware image.

      Therefore, to use the above instructions for Security Gateway / Security Management Server, contact Check Point Support to get the curl_cli binary file.
      A Support Engineer will make sure the file is compatible with your appliance before providing it.
      For faster resolution and verification, please collect CPinfo file from the SMB appliance involved in the case.

      1. Transfer the curl_cli binary file that you received from Check Point Support to the appliance - to the /storage/ partition.

      2. Connect to the command line on the appliance.

      3. Log in to Expert mode.

      4. Transfer the curl_cli binary file to /opt/fw1/bin/ directory:

        [Expert@HostName:0]# cp /storage/curl_cli /opt/fw1/bin/
      5. Assign the relevant ownership and permissions:

        [Expert@HostName:0]# chown 105:80 /opt/fw1/bin/curl_cli
        [Expert@HostName:0]# chmod u=rwx,g=rx,o=rx /opt/fw1/bin/curl_cli
      6. Run the following command on the appliance with an Internet connection and configured DNS servers (Important Note: HTTPS Inspection should be disabled on the Security Gateway):

        [Expert@HostName]# curl_cli --verbose --cacert /opt/fw1/bin/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com


  • Will this change to SHA-256 based certificates affect the license activation in First Time Configuration Wizard on Check Point Appliance?

    On versions R77.20 and lower, automatic license activation cannot be performed during First Time Configuration Wizard without the required hotfix.
    To activate your Check Point Appliance:

    1. Complete the First Time Configuration Wizard

    2. Install the required hotfix

    3. Connect to operating system GUI on Check Point Appliance and pull the license from the Check Point User Center:

      • Gaia Portal - go to Maintenance section - click on License Activation page - click on Get License

        (refer to R77 versions Gaia Administration Guide - Chapter "Maintenance" - section "License Activation")
      • SecurePlatform WebUI - go to Product Configuration section - click on Licenses page - click on Check Point User Center link

        (refer to R77 versions SecurePlatform Administration Guide - Chapter 4 "Configuration Using the Web Interface" - section "Product Configuration" - subsection "Licenses")
    4. Note: The recommended way of applying licenses is by using SmartUpdate.

 

 

(7) Revision History

Show / Hide the revision history
Date Description
21 Feb 2017
  • Section "Required packages for Check Point online upload service" - updated the note that improved built-in CPinfo package is integrated in the Endpoint Security Client E80.65 released on February 19th, 2017
19 Jan 2017
  • Improved the design on this article
27 Dec 2016
  • Section "Required packages for Check Point online download service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 image released on December 27th, 2016
  • Section "Required packages for Check Point online download service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 image released on December 27th, 2016
  • Section "Required packages for Check Point online upload service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 image released on December 27th, 2016
  • Section "Required packages for Check Point online upload service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 image released on December 27th, 2016
16 Dec 2016
  • Section "Required packages for Check Point online download service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 images released on December 16th, 2016
  • Section "Required packages for Check Point online download service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 images released on December 16th, 2016
  • Section "Required packages for Check Point online upload service" - added a note that improved CPinfo package (Build 914000164) is integrated in the new R77.30 images released on December 16th, 2016
  • Section "Required packages for Check Point online upload service" - added a note that improved CPUSE Agent package (Build 1130) is integrated in the new R77.30 images released on December 16th, 2016
  • Section "Required packages for Check Point online upload service" - added a note that GUI-based CPUploader utility was released on November 20th, 2016 as an integral part of the CPinfo utility package for Windows OS
14 Dec 2016
  • Section "Required packages for Check Point online download service" - corrected the note that the relevant fix is integrated into Jumbo Hotfix Accumulator for R77.20 - since Take_91 (instead of Take_77)
20 Nov 2016
  • Section "Required packages for Check Point online download service" - improved R80 SmartConsole is now available.
  • Section "Required packages for Check Point online upload service" - improved R80 SmartConsole is now available.
25 Oct 2016
  • Section "Background" - added Endpoint Security Client's built-in CPinfo to the list of products that use online upload service.
  • Section "Required packages for Check Point online upload service" - added explanation about Endpoint Security Client's built-in CPinfo.
17 Oct 2016
  • Section "Required packages for Check Point online download service" - improved the explanations and instructions.
  • Section "Required packages for Check Point online upload service" - improved the explanations and instructions.
13 Oct 2016
  • Section "Required packages for Check Point online download service" - improved CPSizeMe utility is now available (v3.4 and above).
12 Oct 2016
  • Section "Background" - added Check Point Uploader to the list of products that use online upload service.
  • Section "Background" - added an example of CPUploader file upload failure.
  • Section "Required packages for Check Point online upload service" - added explanation about GUI-based CPUploader.
05 Oct 2016
  • Section "Required packages for Check Point online download service" - improved CPinfo utility is now available (Build 914000164 and above).
  • Section "Required packages for Check Point online download service" - added explanation about CPUSE Agent.
  • Section "Required packages for Check Point online upload service" - added explanation about CPUSE Agent.
  • Section "Required packages for Check Point online upload service" - added explanation about CPSizeMe.
02 Oct 2016
  • Section "Required packages for Check Point online upload service" - improved CPinfo utility is now available (Build 914000164 and above).
29 Sep 2016
  • Section "Background" - added an example of Threat Emulation engine online update failure.
  • Section "Required packages for Check Point online download service" - updated the Threat Emulation engine version.
26 Sep 2016
  • Section "Background" - clarified the time line for migration of certificates (started in June 2016, will end in Nov 2016).
25 Sep 2016
  • Section "Background" - updated the time line for migration of certificates from "Q4 2016" to "October 2016".
  • Section "Background" - improved explanations.
  • Merged section "Solution" and section "Hotfixes" under the title "Required packages for Check Point online download service".
  • Added section "Solution for Check Point online upload service".
22 Sep 2016
  • Section "Background" - updated the time line for migration of certificates from "June 2016" to "Q4 2016".
06 June 2016
  • Section "Hotfixes" - improved instructions.
  • Section "FAQ" - added a question about license activation in First Time Configuration Wizard on Check Point Appliance.
05 June 2016
  • Section "Background" - added examples of online update failures.
01 June 2016
  • Section "Background" - added an example of IPS online update failure.
14 Apr 2016
  • Section "FAQ" - added a note about verification of SHA-256 being supported on SMB appliances.
23 Mar 2016
  • Section "Additional Products" - added "OPSEC SDK 3rd Party Clients".
22 Feb 2016
  • Section "Background" - updated the time line for gradual migration of certificates from "during June 2016" to "starting June 5th, 2016".
12 Jan 2106
  • Section "Hotfix Uninstall Instructions" - added the uninstall instructions for Gaia OS package that was installed without reboot.
11 Jan 2106
  • Section "Background" - updated the time line for gradual migration of certificates from "February 2016" to "June 2016".
  • Section "Solution" - added Jumbo Hotfix Accumulators and relevant Takes, in which the fix is included.
27 Oct 2015
  • Added section "Related Solutions".
20 Oct 2015
  • Section "Background" - updated the time line for gradual migration of certificates from "November 2015" to "February 2016".
15 Oct 2015
  • Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - added an example of successful connection to Check Point server.
14 Oct 2015
  • Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - added a note that HTTPS Inspection has to be disabled on the Security Gateway.
12 Oct 2015
  • Section "FAQ" - added a question about which hotfix should be installed (hotfix from this SK, specific Take of a Jumbo Hotfix Accumulator, a combined hotfix is needed, etc.?).
11 Oct 2015
  • Section "Solution" - the fix is also included in Data Center Security Appliances R76SP.20.
  • Section "Additional Products" - updated status of "61000 / 41000 Security Systems".
  • Section "Additional Products" - updated status of "DDoS Protector appliance".
  • Section "Additional Products" - updated status of "LOM card on Check Point appliances".
  • Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - clarified commands.
08 Oct 2015
  • Section "Hotfixes" - clarified installation instructions for package "R77.20 for Gaia without reboot".
06 Oct 2015
  • Section "FAQ" - question about how to verify that the hotfix was installed and SHA-256 is supported - clarified commands.
16 Sep 2015
  • Section "Solution" - added clarification, that hotfix can be provided only for supported versions.
15 Sep 2015
  • Section "Additional Products" - added "DDoS Protector appliance" and "LOM card on Check Point appliances" (information will be added soon).
09 Sep 2015
  • Section "FAQ" - added a question about how to verify that the hotfix was installed and SHA-256 is supported.
28 July 2015
  • Section "Solution" - the fix is also included in Endpoint Security Server E80.61 / R77.20.01.
22 July 2015
  • Section "Additional Products" - added firmware R75.20 HFA 70 (R75.20.70) for 600 / 1100 Appliance and Security Gateway 80.
21 July 2015
  • Section "Additional Products" - added firmware 8.2.77 for UTM-1 Edge N and Safe@Office 1000.
16 July 2015
  • Section "FAQ" - added a question about Offline Updates.
08 July 2015
  • Section "Hotfixes" - improved UnInstall instructions.
21 June 2015
  • Section "Hotfixes" - added link to package "R77.20 for Gaia without reboot".
18 June 2015
  • Section "Hotfixes" - added link to "R77.10 for AWS".
  • Section "Additional Products" - added link to "R75.20 HFA 69 (Build 983004095)".
05 June 2015
  • Section "Hotfixes" - added UnInstall instructions.
  • Section "FAQ" - added a question about installing this hotfix on all machines at the same time.
04 June 2015
  • Section "Hotfixes" - for versions R75.20 - R75.46, contact Check Point Support to get this hotfix.
29 May 2015
  • Section "Additional Products" - added "SmartEvent NGSE".
  • Section "Additional Products" - added link to "R77.20 for 600 / 1100 / 1200R Appliance".
21 May 2015
  • Section "Solution" - added a clarification that this hotfix is already fully integrated into R77.30
23 Apr 2015
  • Section "Additional Products" - updated "Safe@Office" appliances.
22 Apr 2015
  • Section "Additional Products" - added "UTM-1 Edge" and "Safe@Office" appliances.
21 April 2015
  • Section "FAQ" - question about Jumbo Hotfix Accumulators - updated Issue IDs.
20 April 2015
  • Section "FAQ" - added a question about Jumbo Hotfix Accumulators.
  • Section "FAQ" - added a question about ISO images.
19 April 2015
  • First release of this document.
Applies To:
  • 01469332 , 01549672 , 01579733 , 01655923 , 01640153 , 01639624 , 02399542 , 01680247 , 01828684 , 01520474 , 01719543 , 01639154 , 01639153 , 01584235 , 01692515 , 01707731 , 01847025 , 01579015 , 01746374 , 01549653 , 01642700 , 01716416 , 01822763 , 01701645 , 01687635 , 01579734 , 01641208 , 01549650 , 01600954 , 01510998 , 01530831 , 01784626 , 01526937 , 01702276 , 01681769 , 01549666 , 01707630 , 01716757
  • 01476439 , 01513782 , 01855976 , 01693326 , 01681773 , 01620458 , 01569434 , 01549716 , 01533960 , 01531610 , 01513567 , 01511212 , 01846163 , 01572132 , 01511308 , 01511306 , 01656201 , 01822769 , 01717253 , 01706816 , 01620477 , 01620452 , 01599943 , 01552671 , 01534502 , 01523402 , 01513527 , 01512188 , 01525501 , 01549699 , 01510981 , 01707753 , 01620465 , 01569445 , 01532794 , 01524715 , 01515990 , 01802839 , 01702255 , 01869812 , 01746375 , 01716421 , 01687342 , 01657111 , 01628993 , 01569435 , 01513459 , 01512578 , 02047816 , 01717299 , 01689802 , 01620456 , 01569430 , 01527195 , 01513476 , 01513457 , 01584238 , 01828771 , 01719531 , 01549719 , 01513576 , 01511294 , 01511290 , 02399711 , 01620466 , 01522180 , 01517688 , 01513580 , 01572241 , 01821014 , 01707616 , 01701690 , 01691678 , 01642706 , 01562306 , 01517963 , 01515315 , 01511644 , 01549717
  • 01428128 , 01507648 , 01507130 , 02399575 , 01821015 , 01717300 , 01707772 , 01621893 , 01524713 , 01500985 , 01549728 , 01549740 , 01628799 , 01515313 , 01507932 , 01507672 , 01507282 , 01507175 , 02047814 , 01828733 , 01625334 , 01621889 , 01562188 , 01527193 , 01523409 , 01584240 , 01625278 , 01625141 , 01625137 , 01549724 , 01507376 , 01507153 , 01549732 , 01658988 , 01520428 , 01507265 , 01507156 , 01746377 , 01717254 , 01701736 , 01693333 , 01686739 , 01621868 , 01534500 , 01531521 , 01511638 , 01496008 , 01856015 , 01708864 , 01689804 , 01681777 , 01621887 , 01599609 , 01568927 , 01523791 , 01517643 , 01507934 , 01847119 , 01656216 , 01507651 , 01702207 , 01801716 , 01657130 , 01625336 , 01625150 , 01568937 , 01547804 , 01520843 , 01513562 , 01507263 , 01706877 , 01691688 , 01625145 , 01621899 , 01568942 , 01532792 , 01517917 , 01507285 , 01513522 , 01516003 , 01507147 , 01431248 , 01822746 , 01719527 , 01716426 , 01568929 , 01533864 , 01431706
  • 01539652 , 01561465 , 01561467 , 01802846 , 02379954 , 01629639 , 01625480 , 01572482 , 01579728 , 01717266 , 01549956 , 01568907 , 01847128 , 01540955 , 01904488 , 01707967 , 01701961 , 01693335 , 01691692 , 01625479 , 01625382 , 01563194 , 01562156 , 01625504 , 01747978 , 02047845 , 01829576 , 01822744 , 01821021 , 01719519 , 01717302 , 01708871 , 01599469 , 01584244 , 01570018 , 01549957 , 01625493 , 01746379 , 01681782 , 01625482 , 01625368 , 01570071 , 01568901 , 01625496 , 01549950 , 01665209 , 01702189 , 01846178 , 01686660 , 01657172 , 01645329 , 01608312 , 01606230 , 01568913 , 01625501 , 01625494 , 02399620 , 01716429 , 01692509 , 01625354 , 01549952 , 01568881 , 01548547 , 01680251 , 01540945 , 01625492 , 01857325 , 01689808 , 01604263
  • 02380997 , 02385896 , 02384585 , 02396797
  • 02386412

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment