Installing a Jumbo Hotfix Accumulator on CloudGuard for Azure, AWS and GCP VMs

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk109141
Technical Level
Product	CloudGuard Network for Azure, CloudGuard Network for AWS, CloudGuard Network for Google Cloud Platform
Version	R80.10 (EOL), R80.20, R80.30, R80.40, R81, R81.10
OS	Gaia
Platform / Model	AWS, Azure, Google Cloud Platform
Date Created	21-Dec-2015
Last Modified	25-Jan-2022

Solution

It is now possible to apply Jumbo Hotfix Accumulators on Check Point Security Gateways running in Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP).

Supported Jumbo Hotfix Accumulators per version

Platform	Version	Supported JHF	Notes and Limitations
Azure, AWS	R77.30	R77.30 Jumbo Hotfix Accumulator	From take 189 and higher. See Notes for installing R77.30 Jumbo Hotfix Accumulators
GCP	R77.30	Not supported
Azure, AWS, GCP	R80.10	R80.10 Jumbo Hotfix Accumulator	Supported in Azure from take 135 and higher. Supported in AWS and GCP from take 53 and higher. Take 131 is not supported on GCP. Uninstalling JHFs is not supported when using CPUSE build 1677 or below.
Azure, AWS, GCP	R80.20 Management	R80.20 Jumbo Hotfix Accumulator
Azure, AWS, GCP	R80.20 Gateway	Jumbo Hotfix Accumulator for R80.20 with Gaia 3.10
Azure, AWS, GCP	R80.30 Management	R80.30 Jumbo Hotfix Accumulator
Azure, AWS, GCP	R80.30 Gateway	R80.30 Jumbo Hotfix Accumulator	From take 50 and higher. In Azure, takes 156-194 are not supported.
Azure, AWS, GCP	R80.40	Jumbo Hotfix Accumulator for R80.40 (R80_40_jumbo_hf)	For Gateway image version R80.40-294.640 deployed in Azure it is mandatory to manually uninstall the following preinstalled hotfixes via CPUSE before installing the Jumbo Hotfix Accumulator. These hotfixes contain support for VMSS Remote Access feature only and can be safely uninstall if VMSS Remote Access is not used. Attempting to install a newer Jumbo Hotfix Accumulator take without uninstalling the hotfixes will result in an installation failure due to confilct. fw1_wrapper_HOTFIX_R80_40_JHF_T48_308_MAIN_GA_FULL.tgz accel_HOTFIX_R80_40_JHF_T48_308_MAIN_GA_FULL.tgz For Gateway image versions R80.40-294.839 with installed Jumbo HF take 118 and R80.40-294.833 with installed Jumbo HF take 131 it is mandatory to perform CPUSE inplace upgrade to the the R80.40 version with a newer Jumbo HF take. See sk174583 for more details.
Azure, AWS, GCP	R81	Jumbo Hotfix Accumulator for R81 (R81_jumbo_hf)	For Gateway image versions R81-392.840 and R81.836 with installed Jumbo HF take 23 it is mandatory to perform CPUSE inplace upgrade to the R81 version with a newer Jumbo HF take. See sk109141 for more details.

Notes:

Installation of any other hotfix is not supported, unless specifically stated for that hotfix.

Notes for installing R77.30 Jumbo Hotfix Accumulators

Show / Hide the section

On Security Gateway running in Amazon Web Services (AWS), it is not supported to install Takes 189 and higher of the R77.30 Jumbo Hotfix Accumulator when the user's shell is configured to /etc/cli.sh (the default shell).

Before installing the Takes 189 and higher, the user's shell must be changed to any shell other than /etc/cli.sh - e.g., /bin/bash, /bin/csh, /bin/tcsh (refer to R77 versions Gaia Administration Guide - chapter "User Management" - section "Users").

After installing the Takes 189 and higher, it is not supported to change the user's shell back to /etc/cli.sh.

The "GIRAFFE" hotfix is pre-installed as part of the image for automation of the vSEC Controller:

Starting with the Check Point image R77.30-028.120 for AWS

Starting with the Check Point image 77.30.8029129 for Azure

Before installing Take 189 (and higher) of R77.30 Jumbo Hotfix Accumulator, this "GIRAFFE" hotfix must be uninstalled (otherwise, a conflict will occur):

Check if this hotfix is installed:
[Expert@HostName:0]# cpinfo -y all | grep HOTFIX_GIRAFFE_V2

Uninstall this hotfix either using the CPUSE, or on the CLI:
[Expert@HostName:0]# /opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_GIRAFFE_V2

The vSEC Central License Management Utility is pre-installed as part of the image as VSEC_CENTRAL_LIC_001 hotfix.

Before installing Take 221 (and higher) of R77.30 Jumbo Hotfix Accumulator, this "VSEC_CENTRAL_LIC_001" hotfix must be uninstalled (otherwise, a conflict will occur):

Check if this hotfix is installed:
[Expert@HostName:0]# cpinfo -y all | grep VSEC_CENTRAL_LIC

Uninstall this hotfix either using the CPUSE, or on the CLI:
[Expert@HostName:0]# /opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_VSEC_CENTRAL_LIC_001

If you are using the machine as Management Server, then after installing Take 221 (and higher) of R77.30 Jumbo Hotfix Accumulator, you may want to reinstall the vSEC Central License Management Utility (the "VSEC_CENTRAL_LIC_001" hotfix from sk109713).

On Security Gateway running in Amazon Web Services (AWS), importing the R77.30 Jumbo Hotfix Accumulator package using the CPUSE in Gaia Portal might fail.

In such case, import and install the CPUSE Offline package of the R77.30 Jumbo Hotfix Accumulator in Gaia Clish:

Make sure to install the latest build of the CPUSE Agent.

Refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent):

Follow the section "(4-A-d)" - import instructions for Offline procedure in Gaia Clish
HostName> lock database override
HostName> installer import local <Full_Path>/<Name_of_Jumbo_Hotfix_Package>.tgz
HostName> show installer packages imported

Follow section "(4-B-a)", subsection "(4-B-a-iii)" - installation instructions in Gaia Clish for Hotfixes:
HostName> installer verify[press Space key][press Tab key]
HostName> installer verify <Package_Number>
HostName> installer install[press Space key][press Tab key]
HostName> installer install <Package_Number>

Reboot is required.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating