Table of Contents:

1. Background
2. Solution for Check Point online download service
   1. Which versions already contain this fix?
   2. Hotfix packages for Check Point online download service
   3. Hotfix Installation Instructions
   4. Hotfix Uninstall Instructions
3. Solution for Check Point online upload service
   1. Improved CPinfo package
   2. Improved CPUSE Agent package
   3. Improved GUI-based CPUploader package
   4. Improved CPSizeMe package
   5. Improved SmartConsole package
   6. Improved Endpoint Security Client's built-in CPinfo
4. Additional Products
5. FAQ
6. Related Solutions
7. Revision History

 

 

(1) Background

To proactively enhance the security of our online update services, Check Point will gradually migrate certificates on its servers
from SHA-1 based to SHA-256 based starting in June 2016 (with a major migration in October 2016) and ending in November 2016.

Important Note: If the required packages are not installed by that time, Check Point Software on your machine
will fail to communicate with Check Point online download / upload services once the certificates migration process is completed.

Check Point online download / upload services are used by Check Point software for:

• downloading of signature updates / protections
• verification of license information
• uploading of data to Check Point User Center / Check Point Cloud

The following software blades, products and features use Check Point online services:

Download service is used by

Upload service is used by

Software Blades: IPS (signatures) Application Control (applications) URL Filtering (URLs) Threat Emulation (engine self-update) Anti-Virus (signatures) Anti-Bot (signatures) Anti-Spam (signatures) HTTPS Inspection (Trusted CAs, blocked certificates) Endpoint Security On Demand (ESOD) CPUSE on Gaia OS (packages, self-update) (sk92449) CPinfo (self-update) (sk92739) SmartUpdate (packages, licenses) License operations and Contract updates Refer to section "(2) Solution for Check Point online download service".

CPinfo (file upload) (sk92739) CPUSE on Gaia OS (upload of package installation failures) (sk92449) Check Point Uploader - CLI-based (sk84000) Check Point Uploader - GUI-based (sk108152) CPSizeMe (sk88160) on R77.20 SmartDashboard: "Sync with UserCenter" feature (sk94064) Opening a Service Request (sk97748) Sending crash reports R80 Demo error reports SmartUpdate: Upload diagnostics (CPinfo) Endpoint Security Client's built-in CPinfo (file upload) (sk90445) Refer to section "(3) Solution for Check Point online upload service".

Check Point highly recommends installing the required packages to maintain the functionality of the aforementioned online services.
Otherwise, communication issues similar to these will occur:

Blade / Feature	Communication issue
IPS online update	IPS Dynamic Update window would show: x Connecting to Check Point Download Server The Check Point download server is unable to service the request at this time. Example:
Anti-Bot, Anti-Virus, Threat Emulation online update	SmartDashboard - Threat Prevention tab - Gateways pane - Update Status column would show: Error in update Anti-bot: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://... Anti-virus: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://... Threat Emulation: Update failed: The Security Gateway cannot download the file.The Security Gateway cannot connect to the Internet. Example: SmartDashboard - Threat Prevention tab - Gateways pane - Update Status section in the right pane would show: Anti-Bot: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://... Anti-Virus: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://... Threat Emulation: Update failed: The Security Gateway cannot download the file.The Security Gateway cannot connect to the Internet. Example:
Application Control, URL Filtering online update	SmartDashboard - Application & URL Filtering tab - Gateways pane - Update Status column would show: Error in database update Application Control: Update failed. Gateway can not access internet ('https://... URL Filtering: Update failed. Gateway can not access internet ('https://... Example: SmartDashboard - Application & URL Filtering tab - Gateways pane - Application Database Updates section would show: Automatic update failed, check Management Server connectivity and proxy settings Example:
Threat Emulation Engine self-update	SmartLog / SmartView Tracker log will show (sk113333): Threat Emulation update failed, cannot download <Name_of_Component>. Failed running download process. Example: SmartView Monitor will show (sk113333): Error: Threat Emulation update failed, cannot download JAVA. Failed running download process. Example:
CPUSE online update	CPUSE Agent in Gaia Portal would show: Note: Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page. Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS and Proxy). Example:
SmartUpdate online update	SmartUpdate GUI would show: Problem with local certificate Example:
License activation in First Time Configuration Wizard on Check Point Appliance	On versions R77.20 and lower, automatic license activation cannot be performed during First Time Configuration Wizard without the required hotfix. To activate your Check Point Appliance: Complete the First Time Configuration Wizard Install the required hotfix Connect to operating system GUI on Check Point Appliance and pull the license from the Check Point User Center: Gaia Portal - go to Maintenance section - click on License Activation page - click on Get License (refer to R77 versions Gaia Administration Guide - Chapter "Maintenance" - section "License Activation") SecurePlatform WebUI - go to Product Configuration section - click on Licenses page - click on Check Point User Center link (refer to R77 versions SecurePlatform Administration Guide - Chapter 4 "Configuration Using the Web Interface" - section "Product Configuration" - subsection "Licenses") Note: The recommended way of applying licenses is by using SmartUpdate.
CPinfo file upload	CPinfo file upload would fail: [Expert@HostName:0]# ./cpinfo -nf test.log You have requested option n, without any argument. You have requested option f, with argument test.log. This is Check Point CPinfo Build xxx for GAIA Please provide an SR number:28-12345678                 Uploading (using proxy)... Initiating connection to User Center: Failed to connect Warning: Failed connecting to User Center (Please check that User Center is accessible on https service) Example:
Check Point Uploader file upload	File upload in CLI-based Check Point Uploader would fail: [Expert@HostName:0]# ./cp_uploader -u username@checkpoint.com test_file.txt Password: Initiating connection to User Center: Error: Failed connecting to User Center (Please check that port 443 is open) [Expert@HostName:0]# File upload in GUI-based Check Point Uploader would fail: "Upload Result Notification" pop-up would show: Operation not completed! "Log" section would show: Error: Failed connecting to User Center

 

(2) Required packages for Check Point online download service

(2-A) Which versions already contain this fix?

Note: For customers using online download services in SmartDashboard or SmartUpdate version R77.20 and below, and R80 specifically, an improved SmartConsole for download service is required.

Product / Blade / Feature	Support for SHA-256 certificates for download services is integrated since
Security Gateway / Cluster / VSX / Management Server / Log Server	Check Point R77.30 and above Jumbo Hotfix Accumulator for R77.20 - since Take_91 Jumbo Hotfix Accumulator for R77.10 - since Take_127 Jumbo Hotfix Accumulator for R77 - since Take_37 Jumbo Hotfix Accumulator for R76 - since Take_61 Jumbo Hotfix Accumulator for R75.47 - since Take_84
SmartConsole for download service	Improved R80 SmartConsole for SHA-256 support Check Point R77.30
41000 / 61000 Security Systems	Data Center Security Appliances R76SP.20 and above Jumbo Hotfix Accumulator for R76SP.10 - since Take_62
vSEC Gateway	vSEC Gateway for NSX R77.30VSEC and above vSEC Gateway for AWS R77.10 - since take-045.01
600 / 700 / 1100 / 1200R / 1400 appliances running R77.20.X firmware image	R77.20 for 600 / 700 / 1100 / 1200R / 1400 Appliance
600 / 1100 / Security Gateway 80 appliances running R75.20.X firmware image	R75.20 HFA 69 (Build 983004095) (released 09 June 2015) R75.20 HFA 70 (R75.20.70) (released 22 July 2015)
Threat Emulation Engine	New R77.30 images released on December 16th and December 27th, 2016 Threat Emulation Offline update Slim Package 46.990000189 (released 25 July 2016) and above Jumbo Hotfix Accumulator for R77.30 - since Take_184
UTM-1 Edge N / Industrial	Firmware 8.2.77 (released 21 July 2015) - refer to sk109147
Safe@Office 1000	Firmware 8.2.77 (released 21 July 2015) - refer to sk109147
CPUSE Agent	Build 1005 (released 15 June 2016) - refer to sk92449 Build 1130 integrated in the new R77.30 images released on December 16th and December 27th, 2016
CPinfo utility	Build 914000164 (released 02 Oct 2016) - refer to sk92739 Build 914000164 integrated in the new R77.30 images released on December 16th and December 27th, 2016
OPSEC SDK 3rd Party Clients	Refer to sk63026: OPSEC SDK

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Security Management Server / upgrade Multi-Domain Security Management Server / upgrade SmartConsole / upgrade Endpoint Security Server / upgrade vSEC Gateway for NSX / upgrade 600 appliance / upgrade 700 appliance / upgrade 1100 appliance / upgrade 1200R appliance / upgrade 1400 appliance / upgrade Edge / Safe@Office device).

 

(2-B) Hotfix packages for Check Point online download service

Note: For customers using online services in SmartDashboard (such as IPS blade updates), or SmartUpdate versions R77.20 and below, and R80 specifically, an improved SmartConsole for download service is required as well.

In order to download these hotfix packages you will need to have a Software Subscription or Active Support plan.

Version	Gaia CPUSE Offline	Gaia CLI, SecurePlatform, Linux	IPSO	Windows	Improved SmartConsole
R80	Not required	Not required	N/A	N/A	Install the improved SmartConsole from sk114579
R77.20 for Gaia without reboot (1)			N/A	N/A
R77.20 (2)
R77.10 (2)
R77.10 for AWS (3)	N/A		N/A	N/A
R77 (2)
R76 (2)
R75.47 (2)					and

Notes:

1. This hotfix package can be installed without rebooting the machine.
   
   • This hotfix package is applicable only to R77.20 GA on Gaia OS.
   • At the end of the installation, the "cpstart" command is executed automatically.
   • On Multi-Domain Server, user is prompted to reboot the machine. Ignore this message and run the "mdsstop;mdsstart" commands.
2. This hotfix also includes an enhancement for HTTPS Inspection: certificates generated by the Security Gateway will be signed by the same signing algorithm (SHA-256/SHA-1) as the original server certificate, and not only by SHA-1 algorithm (as was done until now).
3. This hotfix is already integrated into R77.10 take-045.01 for AWS.

 

(2-C) Hotfix Installation Instructions

Show / Hide this section

Notes:

• Make sure to take a snapshot / backup of your Check Point machine before installing this hotfix.
• Hotfix has to be installed on all Check Point machines R77.20 and lower (already fully integrated into R77.30).
• In cluster environment, this procedure must be performed on all members of the cluster.
• In Management HA environment, this procedure must be performed on both Management Servers.

Instructions:

• On Gaia OS using CPUSE
  

  For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE"

  • Online installation in Gaia Portal

    1. Connect to the Gaia Portal on your Check Point machine.
    2. Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
    3. Click on Status and Actions page.
    4. Select the hotfix package <Version> Hotfix for sk103839 ... - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
    5. Select the hotfix package - click on Install Update button on the toolbar.
    6. Reboot is required.
    7. Download and install the improved SmartConsole from the table above.

  • Online installation in Gaia Clish

    1. Connect to the command line on your Check Point machine.
    2. Log in to Clish.
    3. Acquire the lock over Gaia configuration database:
       HostName:0> lock database override
    4. Check the available packages:
       Note: Refer to the top section "Hotfixes" - refer to "<Version> Hotfix for sk103839..."
       HostName:0> show installer packages available-for-download
    5. Verify that this package can be installed without conflicts:
       HostName:0> installer verify <Package_Number>
    6. Download the hotfix package from the Check Point Cloud:
       HostName:0> installer download <Package_Number>
    7. Show the downloaded packages:
       HostName:0> show installer packages downloaded
    8. Install the downloaded package:
       HostName:0> installer install <Package_Number>
       Note: The progress (in per cent) will be displayed in Clish.
    9. Reboot is required.
    10. Download and install the improved SmartConsole from the table above.

  • Offline installation in Gaia Portal

    1. Install the latest build of CPUSE Agent from sk92449.
    2. Download the CPUSE Offline package from the table above to your computer.
    3. Connect to the Gaia Portal on your Check Point machine.
    4. Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
    5. Click on Status and Actions page.
    6. On the toolbar, click on the More button and select Import Package.
    7. In the Import Package window, click on Browse... - select the CPUSE offline package - click on Upload.
    8. Click on the filter button near the "Help" icon and select All.
    9. Select the imported hotfix package <Version> Hotfix for sk103839 ... - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
    10. Select the imported hotfix package - click on Install Update button on the toolbar.
    11. Reboot is required.
    12. Download and install the improved SmartConsole from the table above.

  • Offline installation in Gaia Clish

    1. Install the latest build of CPUSE Agent from sk92449.
    2. Download the CPUSE Offline package from the table above to your computer.
    3. Transfer the offline package to your Check Point machine (into some directory, e.g., /some_path_to_hotfix/).
    4. Connect to the command line on your Check Point machine.
    5. Log in to Clish.
    6. Acquire the lock over Gaia configuration database:
       HostName:0> lock database override
    7. Import the package from the hard disk:
       Note: When import completes, this package is deleted from the original location.
       HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
    8. Show the imported packages:
       Note: Refer to the top section "Hotfixes" - refer to "<Package_File_Name>"
       HostName:0> show installer packages imported
    9. Verify that this package can be installed without conflicts:
       HostName:0> installer verify <Package_Number>
    10. Install the imported package:
        HostName:0> installer install <Package_Number>
    11. Reboot is required.
    12. Download and install the improved SmartConsole from the table above.

  
  
  
• On Gaia / SecurePlatform / Linux OS using Legacy CLI
  

  1. Download the relevant hotfix package from the table above and transfer it to the machine.
  2. Unpack and install the hotfix:
     [Expert@HostName]# tar -zxvf Check_Point_Hotfix_<VERSION>_Linux_sk103839.tgz
     [Expert@HostName]# ./UnixInstallScript
     Notes:
     
     • The script will stop all of Check Point services ('cpstop') - read the output on the screen.
     • To install the package "R77.20 for Gaia without reboot", run:
       [Expert@HostName:0]# ./fw1_wrapper_<HOTFIX_NAME>
       Reboot is not required - at the end of the installation, the "cpstart" command is executed automatically.
  3. Reboot is required (except for "R77.20 for Gaia without reboot" package).
  4. Download and install the improved SmartConsole from the table above.

  
  
  
• On IPSO OS using CLI
  

  1. Download the relevant hotfix package from the table above and transfer it to your Check Point machine.
  2. Unpack and install the hotfix:
     HostName[admin]# tar -zxvf Check_Point_Hotfix_<VERSION>_IPSO_sk103839.tgz
     HostName[admin]# ./fw1_wrapper_<HOTFIX_NAME>
     Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
  3. Reboot is required.
  4. Download and install the improved SmartConsole from the table above.

  
  
  
• On Windows OS using CLI
  

  1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine.
  2. Use any archive program (WinZIP, WinRAR, 7-Zip, TUGZip, IZArc) to unpack the Check_Point_Hotfix_<VERSION>_Win_sk103839.tgz file.
  3. Open the Disk_Images folder.
  4. Open the Disk1 folder.
  5. Right-click on the setup.exe file - click on Run as administrator.
     Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
  6. Reboot is required.
  7. Download and install the improved SmartConsole from the table above.

  
  
  
• Improved SmartConsole for download service
  

  1. Download the relevant improved SmartConsole for download service from the table above.
  2. Uninstall the current SmartConsole.
  3. Install the improved SmartConsole.

 

(2-D) Hotfix Uninstall Instructions

Show / Hide this section

Note: Names of hotfixes used in this section are given for the hotfixes provided directly in this article (refer to the table above).

Notes:

• Make sure to take a snapshot / backup of your Check Point machine before uninstalling this hotfix.
• In cluster environment, this procedure must be performed on all members of the cluster.
• In Management HA environment, this procedure must be performed on both Management Servers.

Instructions:

• On Gaia OS using CPUSE
  

  For detailed uninstall instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

  • To uninstall the standard CPUSE package that requires reboot:

    • In Gaia Portal:

      1. Connect to the Gaia Portal on your Check Point machine.
      2. Navigate to Upgrades (CPUSE) section (in Gaia R77.20) / Software Updates section (in Gaia R77.10 and lower).
      3. Click on Status and Actions page.
      4. Click on the filter button near the "Help" icon and select Installed.
      5. Right-click on the hotfix package <Version> Hotfix for sk103839 ... - select Uninstall.
      6. Reboot is required.

    • In Gaia Clish:

      1. Connect to the command line on your Check Point machine.
      2. Log in to Clish.
      3. Acquire the lock over Gaia configuration database:
         HostName:0> lock database override
      4. Uninstall the package <Version> Hotfix for sk103839 ...:
         HostName:0> installer uninstall <Package_Number>
         Note: The progress (in per cent) will be displayed in Clish.
      5. Reboot is required.

  • To uninstall the CPUSE package for R77.20 that did not require a reboot:

    • In Gaia Portal:

      1. Connect to the Gaia Portal on your Check Point machine.
      2. Navigate to Upgrades (CPUSE) section.
      3. Click on Status and Actions page.
      4. In the menu near the "Help" icon, select Installed.
      5. Right-click on the hotfix package R77.20 Hotfix for sk103839 ... - select Uninstall
      6. Reboot is not required.

    • In Gaia Clish:

      1. Connect to the command line on your Check Point machine.
      2. Log in to Clish.
      3. Acquire the lock over Gaia configuration database:
         HostName:0> lock database override
      4. Uninstall the package R77.20 Hotfix for sk103839 ...:
         HostName:0> installer uninstall <Package_Number>
         Note: The progress (in per cent) will be displayed in Clish.
      5. Reboot is not required.

  
  
  
• On Gaia OS using Legacy CLI - uninstall of the package for R77.20 that did not require a reboot
  

  1. Go to /opt/CPsuite-R77/ directory:
     [Expert@HostName:0]# cd /opt/CPsuite-R77/
  2. Execute the uninstall script:
     [Expert@HostName:0]# ./uninstall_HOTFIX_R77_20_HF_SHA256
     Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
  3. Reboot is required.

  
  
  
• On Gaia / SecurePlatform / Linux OS using Legacy CLI
  

  1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
     [Expert@HostName:0]# tar -zxvf Check_Point_Hotfix_<VERSION>_Linux_sk103839.tgz
  2. Execute the uninstall script:
     [Expert@HostName:0]# ./UnixInstallScript -u
     Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
  3. Reboot is required.

  
  
  
• On IPSO OS using CLI
  

  1. Execute the uninstall script:
     

     Version	Command to run
     R77.20	HostName[admin]# ./opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_R77_20_HF6IS
     R77.10	HostName[admin]# ./opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_R77_HF_HA10_012
     R77	HostName[admin]# ./opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_R77_HF_BASE_013I
     R76	HostName[admin]# ./opt/CPsuite-R76/uninstall_fw1_wrapper_HOTFIX_GIZMO_HF_BASE_041_060I
     R75.47	HostName[admin]# ./opt/CPsuite-R75.40/uninstall_fw1_wrapper_HOTFIX_FOXX_HF_HA47_069

     Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
  2. Reboot is required.

  
  
  
• On Windows OS
  

  1. Go to Control Panel:
     
     • On Windows 2000 / 2003 - click on Add/Remove Programs
     • On Windows 2008 / Vista / 7 - click on Programs and Features
  2. Select the hotfix - click on Uninstall button:
     

     Version	Hotfix Name
     R77.20	Check Point R77.20_R77_20_HF6W
     R77.10	Check Point R77.10_R77_HF_HA10_012W
     R77	Check Point R77_R77_HF_BASE_013W
     R76	Check Point R76_GIZMO_HF_BASE_041_060I
     R75.47	Check Point R75.47_FOXX_HF_HA47_069

     Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
  3. Reboot is required.

  Alternatively, run the installation program with '-u' flag:

  1. Open the elevated Command Prompt:
     Start - Programs - Accessories - right-click on 'Command Prompt' icon - select 'Run as administrator'.
  2. Navigate to the folder where you unpacked the hotfix package:
     DISK:\> cd "path_to_unpacked_hotfix_package"
  3. Run the installation program with '-u' flag:
     DISK:\path_to_unpacked_hotfix_package\> setup.exe -u
  4. Reboot is required.

  
  
  
• Improved SmartConsole for download service
  

  1. Uninstall the current improved SmartConsole.
  2. Install the default SmartConsole from the relevant Home Page (R75.47, R76, R77, R77.10, R77.20).

 

(3) Required packages for Check Point online upload service

(3-A) Improved CPinfo package

• Improved CPinfo package (Build 914000164 and above) is available in the sk92739 - The CPinfo utility.

• Improved CPinfo package (Build 914000164) is integrated in the following new R77.30 images:

  • for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation appliances released on December 16th, 2016
  • for 2200 / 4000 / 12000 / 13000 / 21000 / Threat Emulation / Smart-1 / UTM-1 / Power-1 / IP Series / Open Servers released on December 27th, 2016

Note: The improved CPinfo package not only supports SHA-256 certificates, but also integrates the functionality
of the standalone Check Point Uploader utility (sk84000 / sk108152), which becomes deprecated starting in October 2016.

(3-B) Improved CPUSE Agent package

• Improved CPUSE Agent package (Build 1005 and above) is available in the sk92449 - CPUSE - Gaia Software Updates.

• Improved CPUSE Agent package (Build 1130) is integrated in the following new R77.30 images:

  • for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation appliances released on December 16th, 2016
  • for 2200 / 4000 / 12000 / 13000 / 21000 / Threat Emulation / Smart-1 / UTM-1 / Power-1 / IP Series / Open Servers released on December 27th, 2016

(3-C) Improved GUI-based CPUploader package

Improved GUI-based CPUploader utility was released on November 20th, 2016 as an integral part of the CPinfo utility package for Windows OS.
Follow the instructions in sk108152.

(3-D) Improved CPSizeMe package

Improved CPSizeMe package (version 3.14) is available in sk88160 - The Check Point Performance Sizing Utility.

Note: Applies only to R77.20

(3-E) Improved SmartConsole package

• Improved R80 SmartConsole package for upload service is available in sk114579 - Improved R80 SmartConsole for SHA-256 support.

• For R77.30 SmartConsole upload functionality, install the CPinfo Utility build 914000173 and above on the SmartConsole computer.

• For lower supported SmartConsole versions, contact Check Point Support to create the improved SmartConsole for your version.

(3-F) Improved Endpoint Security Client's built-in CPinfo

The improved built-in CPinfo utility (sk90445) is available starting in Endpoint Security Client E80.65.

 

(4) Additional Products

 

(5) FAQ

• What happens if I do not install this hotfix on some of my Check Point machines?
  

  Check Point machines, on which this hotfix was not installed, will not be able to connect to Check Point servers and perform operations like signatures updates (IPS blade, Anti-Virus blade, other blades), Licensing, Contracts, etc. - refer to this section.

  
  
  
• Do I have to install this hotfix on all my Check Point machines at the same time?
  

  This hotfix is intended for each machine individually. It does not affect the communication between Security Management Server / Multi-Domain Security Management Server and the managed Security Gateways.
  Meaning, you can install this hotfix on a Security Management Server, and after some time install it on the managed Security Gateways.

  In addition, refer to Question 1.

  
  
  
• Is this hotfix compatible with other hotfixes I have installed?
  

  Some hotfixes replace the same files. In cases where a private hotfix provided by Check Point Support is installed, there might be a conflict between the hotfixes, and hotfix installation will be aborted with specific message about what fixes exactly conflict with each other.

  Contact Check Point Support to get a combined Hotfix that contains all the required fixes for your Check Point machine
  For faster resolution and verification, please provide the following:

  • Specific message about what fixes conflict with each other
  • CPinfo file from the involved Check Point machine

  
  
  
• Do I have to install the improved SmartDashboard? What does it add?
  

  The improved SmartConsole is required to be able to work with Check Point servers - operations like signatures updates (IPS blade, Anti-Virus blade, other blades), Licensing, Contracts, etc.

  
  
  
• What is the impact on the production when installing the no-reboot R77.20 hotfix package instead of the "regular" one?
  

  The previously released R77.20 "regular" hotfix contains all the previously released R77.20 recommended hotfixes. One of such integrated R77.20 recommended hotfixes requires reboot.

  The fix for SHA-256 certificates is only a user space library file and installing it does not require reboot.

  A "lighter" hotfix package was created for R77.20 Gaia that includes only the fix for SHA-256 certificates to allow installing the required SHA-256 fix without rebooting the machine.
  

  This "lighter" hotfix package should not conflict with other hotfix packages that might already be installed on the R77.20 Gaia machine:

  • If other hotfix packages are already installed on the R77.20 Gaia machine, then you should be able to easily install this "lighter" hotfix package on top of them.
  • If this is a cleanly installed R77.20 Gaia (without any hotfixes), then you can easily install this "lighter" hotfix package, and later you should be able to install other desired hotfix packages on top of it (however, other hotfix packages will require a reboot).

  
  In case any conflict between the hotfixes is detected, the installation will automatically be aborted with relevant explanation that mentions the conflicting hotfixes. Contact Check Point Support with this information. For faster resolution and verification, please also collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

  
  
  
• Are there offline updates available for Software Blades?
  

  Yes. Refer to:

  • sk93724 - IPS Offline Updates
  • sk92509 - Offline updates for Threat Emulation images and engine

  
  
  
• Was this fix integrated into Jumbo Hotfix Accumulators?
  

  Yes - fix for online download services was integrated into all known Jumbo Hotfix Accumulators.

  Status update as of 13 July 2015:

  Jumbo Hotfix Accumulator	Integration	Issue IDs	Integrated in
  sk101975 - Jumbo Hotfix Accumulator for R77.20 (R77_20_jumbo_hf)	Full since Take 91	01526937	Take 51
  		01510981	Take 36
  		01507672	Take 31
  		01563194	Take 91
  sk98285 - Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021)	Full since Take 127	01639154	Take 127
  		01513476	Take 88
  		01523791	Take 88
  		01604263	Take 116
  sk96192 - Jumbo Hotfix Accumulator for R77 (gulli_hf_base_008)	Full since Take 37	01639153	Take 37
  		01527195	Take 37
  		01527193	Take 37
  		01606230	Take 37
  sk96191 - Jumbo Hotfix Accumulator for R76 (gizmo_hf_041_050)	Full since Take 61	01639624	Take 61
  		01552671	Take 54
  		01547804	Take 50
  		01608312	Take 54
  sk95827 - Jumbo Hotfix Accumulator for R75.47 (fiat_hf_base_026)	Full since Take 84	01640153	Take 84
  		01524715	Take 67
  		01524713	Take 67
  		01570018	Take 76
  sk103121 - Data Center Security Appliances R76SP.10 - Jumbo Hotfix Accumulator	Full since Take 62	01579733	Take 62
  		01513576	Take 62
  		01507932	Take 62
  		01579728	Take 62
  sk105706 - Data Center Security Appliances R76SP.10_VSLS - Jumbo Hotfix Accumulator	Full since Take 15	01579733	Take 15
  		01513576	Take 15
  		01507932	Take 15
  		01579728	Take 15

  
  
  
• Will this fix be integrated into ISO images?
  

  Currently, there are no such plans.

  
  
  
• How can I determine which "SHA-256" hotfix for Check Point online download service should be installed - hotfix from this SK, specific Take of a Jumbo Hotfix Accumulator, a combined hotfix is needed, etc.?
  

  • Show / Hide instructions if the involved machine runs on Gaia / SecurePlatform / Linux / IPSO OS
    

    1. Download this package with a special shell script and transfer it to the involved machine.
       
       

    2. Collect CPinfo file on the involved machine:

       # cpinfo -o /path_to/<CPinfo_File>.cpinfo

       Note: Do not use the "-z" flag, so that the output file is not compressed.
       
       

    3. Unpack the package with a special shell script:

       # tar xvf sha256_check.tar
       
       

    4. Assign the execute permissions to the shell script:

       # chmod u+x sha256_check.sh
       
       

    5. Execute the script (requires absolute path to the CPinfo file):

       # ./sha256_check.sh /path_to/<UnPacked_CPinfo_File>

       Refer to the instructions on the screen.

    
    
    
  • Show / Hide instructions if the involved machine runs on Windows OS
    

    1. Download this package with a special shell script and transfer it to a machine that runs Gaia / SecurePlatform / Linux / IPSO OS.
       
       

    2. Collect CPinfo file from the involved machine:

       C:\> cpinfo -z -o C:\<CPinfo_File>.cpinfo
       
       
    3. Transfer the collected CPinfo file to the same machine (that runs on Gaia / SecurePlatform / Linux / IPSO OS) where you transferred the package with a special shell script.
       
       

    4. Unpack the CPinfo file:

       # gzip -d -v <CPinfo_File>.cpinfo.gz
       
       

    5. Unpack the package with a special shell script:

       # tar xvf sha256_check.tar
       
       

    6. Assign the execute permissions to the shell script:

       # chmod u+x sha256_check.sh
       
       

    7. Execute the script (requires absolute path to the CPinfo file):

       # ./sha256_check.sh /path_to/<UnPacked_CPinfo_File>

       Refer to the instructions on the screen.

  
  
  
• How can I verify that the hotfix for Check Point online download service was installed, and now SHA-256 is supported on my machine?
  

  • Instructions for Security Gateway / Security Management Server

    After installing the hotfix and rebooting, run the following command on your machine with an Internet connection and configured DNS servers (Important Note: HTTPS Inspection should be disabled on the Security Gateway):

    In R77 and above:
    [Expert@HostName]# curl_cli --verbose --cacert $CPDIR/conf/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com
    
    In R76 and lower:
    [Expert@HostName]# curl_cli --verbose --cacert $FWDIR/bin/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com

    • If the connection succeeds, then everything works correctly (see example below).
    • If an error message appears, then contact Check Point Support for assistance.
      For faster resolution and verification, please provide:
      
      • Output of the above "curl_cli" command
      • CPinfo file from the involved Security Management Server
      • CPinfo file from the involved Security Gateway

    Example of successful connection to Check Point server:

    You should see the following in the end:
    * Server certificate:
    * subject: C=US, ST=California, L=San Carlos, O=Check Point Software Technologies Inc., OU=US MIS, CN=supportcenter.checkpoint.com
    * start date: 2015-06-02 00:00:00 GMT
    * expire date: 2017-06-02 23:59:59 GMT
    * subjectAltName: supportcenter.checkpoint.com matched
    * issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
    * SSL certificate verify ok.
    * servercert: Finished
    < HTTP/1.1 302 Found
    < Date: Wed, 14 Oct 2015 11:51:27 GMT
    < Server: SAP J2EE Engine/6.40
    < location: https://supportcenter.checkpoint.com/supportcenter/index.jsp
    < content-length: 0
    < Via: 1.1 supportcenter.checkpoint.com (Apache/2.2.27)
    < Content-Type: text/plain
    

  • Instructions for Small Business appliances (600 / 700 / 1100 / 1200R / 1400)

    Firmware R75.20.70 (or higher) and R77.20 GA (or higher) contain this fix.

    Due to its size, the curl_cli binary file was excluded from firmware image.

    Therefore, to use the above instructions for Security Gateway / Security Management Server, contact Check Point Support to get the curl_cli binary file.
    A Support Engineer will make sure the file is compatible with your appliance before providing it.
    For faster resolution and verification, please collect CPinfo file from the SMB appliance involved in the case.

    1. Transfer the curl_cli binary file that you received from Check Point Support to the appliance - to the /storage/ partition.

    2. Connect to the command line on the appliance.

    3. Log in to Expert mode.

    4. Transfer the curl_cli binary file to /opt/fw1/bin/ directory:

       [Expert@HostName:0]# cp /storage/curl_cli /opt/fw1/bin/

    5. Assign the relevant ownership and permissions:

       [Expert@HostName:0]# chown 105:80 /opt/fw1/bin/curl_cli
       [Expert@HostName:0]# chmod u=rwx,g=rx,o=rx /opt/fw1/bin/curl_cli

    6. Run the following command on the appliance with an Internet connection and configured DNS servers (Important Note: HTTPS Inspection should be disabled on the Security Gateway):

       [Expert@HostName]# curl_cli --verbose --cacert /opt/fw1/bin/ca-bundle.crt --tlsv1 https://supportcenter.checkpoint.com

  
  
  
• Will this change to SHA-256 based certificates affect the license activation in First Time Configuration Wizard on Check Point Appliance?
  

  On versions R77.20 and lower, automatic license activation cannot be performed during First Time Configuration Wizard without the required hotfix.
  To activate your Check Point Appliance:

  1. Complete the First Time Configuration Wizard

  2. Install the required hotfix

  3. Connect to operating system GUI on Check Point Appliance and pull the license from the Check Point User Center:

     • Gaia Portal - go to Maintenance section - click on License Activation page - click on Get License

       (refer to R77 versions Gaia Administration Guide - Chapter "Maintenance" - section "License Activation")

     • SecurePlatform WebUI - go to Product Configuration section - click on Licenses page - click on Check Point User Center link

       (refer to R77 versions SecurePlatform Administration Guide - Chapter 4 "Configuration Using the Web Interface" - section "Product Configuration" - subsection "Licenses")

  Note: The recommended way of applying licenses is by using SmartUpdate.

 

(6) Related Solutions

• sk108285 - Management Portal shows SHA-1 certificate is used although SHA-256 Hotfix from sk103839 was installed

• sk103840 - SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)

• sk108252 - How to change Gaia Portal's certificate from SHA-1 to SHA-256

• sk110425 - OPSEC SDK - SHA-256 support

• sk109147 - How to configure HTTPS certificate on Edge / Safe@Office device for Web GUI and Remote Access clients

• sk113333 - Errors during Threat Emulation update
  
  
• sk115894 - How to change HTTPS Inspection certificate from SHA-1 to SHA-256
  

 

(7) Revision History