Support Center > Search Results > SecureKnowledge Details
Blink - Gaia Fast Deployment
Solution

 Table of Contents:

  1. Introduction
  2. What's New
  3. Supported deployments
  4. Downloads
  5. Blink image
  6. Blink image updates
  7. How to use the Blink mechanism
  8. How to configure the Blink mechanism
    • File Description
    • The answers.xml file for Security Management Images
    • The answers.xml file for Security Gateway Images
  9. Limitations
  10. Revision History
Click Here to Show the Entire Article

 

(1) Introduction

Gaia Fast Deployment mechanism called "Blink" allows users fast and easy deployment of cleanly installed Check Point Security Gateways and Security Managements.
Upon completion of the deployment process, user gets a cleanly installed machine (with completed First Time Configuration Wizard), desired Hotfixes, and updated signatures for Software Blade installed.

For deployment procedure, refer to sections "(6) How to use the Blink mechanism" and "(7) How to configure the Blink mechanism".

Blink mechanism allows:

  • Deployment within ~5-7 minutes for Security Gateway and ~10-16 for Security Management of a cleanly installed Security Gateway or Security Management (Blink Image), including desired hotfix packages, and updated Software Blades signatures (optional)
  • Basic configuration that allows the basic functionality of the machine:
    • IP address configuration on the appliance's Management interface
    • In case of Security Gateway:
      • SIC configuration
      • Gaia OS admin password
    • In case of Security Management:
      • Administrator credentials
    • Approval to upload data to / download data from Check Point cloud
  • Installation of Blink Image updates (for details, refer to section "(5) Blink image updates")

Important Note: Blink mechanism is intended only for cleanly installed machines - Check Point appliance, on which Check Point software has been installed (new Check Point appliance, or after restoring to factory defaults), but the First Time Configuration Wizard has not been run yet.
In any other case the --reimage flag need to be used (see Section (6) How to use the Blink mechanism)

Comparison chart between General deployment and Blink deployment of R80.10 Security Management (Primary) on Smart-1 255

Clean Installation of R80.10 Security Management (with Jumbo HFA) by ISOMorphic
 Blink installation of R80.10 Security Management (with Jumbo HFA) from USB

Preparation time:

  • Burning Gaia OS + Jumbo HFA on a USB with ISOMorphic
 17 minutes 58.5 minutes

Preparation time:

  • Copying the image + utility to the machine
 3 minutes
 15.5 minutes

Installing clean machine (automated by ISOMorphic):

  • Installing the new version on the appliance (Anaconda)
  • Running First Time Wizard to configure a Security Management (Primary) machine
  • Installing a Jumbo HFA on a configured machine
  • Reboot
  • All Processes are up and machine is ready to use
 41.5 minutes

Installing Blink Image: 

  • Installation of R80.10 Security Management (Primary) image + Jumbo HFA
  • Reboot
  • Performing Blink Wizard
  • All Processes are up and machine is ready to use
 12.5 minutes

 

(2) What’s New?

  • New Security Management images aligned with answers.xml file version 1.1 were added.

  • All updated Security Gateway public images have the new answer.xml file format.

 

(3) Supported deployments

Versions
  • Gaia OS R77.30
  • Gaia OS R80.10
Product
  • Security Gateway
  • Security Management
Hardware
  • For Security Gateway:
    • Check Point Appliances 2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, and 23000
  • For Security Management:
    • Smart-1 25B, Smart-1 150, Smart-1 205, Smart-1 225, Smart-1 3050, Smart-1 3150, Smart-1 410, Smart-1 425, Smart-1 525, Smart-1 5150
  • Running Blink on software RAID appliances is supported on Blink images created in 24 Jan 2018 and later

 

(4) Downloads

This section provides the links to all the relevant downloads.
Software Subscription or Active Support plan is required to download these packages.

 

Latest Blink Utility

Description Date Link to download
Blink Utility version 1.1 6 Sep 2018  (TGZ)

 

Latest Blink Images

Security Management Images

Version and included Take of
Jumbo Hotfix Accumulator		 Date Link to
Blink Image
R80.10 (GA Take 462) for Smart-1 appliances (except Smart-1 525/5150) 17 Sep 2018
  (TGZ)
R80.10 (GA Take 462) with R80.10 Jumbo Hotfix Take 112 for Smart-1 appliances
(except Smart-1 525/5150)		 17 Sep 2018  (TGZ)
R80.10 for Smart-1 525/5150 appliances 17 Sep 2018
  (TGZ)
R80.10 with R80.10 Jumbo Hotfix Take 103 for Smart-1 525/5150 appliances
 17 Sep 2018
  (TGZ)
R77.30 GA (with SHA-2 support) for Smart-1 205/3150 appliances
(Based on Check_Point_R77.30_Install_and_Upgrade.Gaia.iso)		 17 Sep 2018
  (TGZ)
R77.30 GA with SHA-2 support and R77.30 Jumbo Hotfix Take 317 for Smart-1 205/3150 appliances
(Based on Check_Point_R77.30_Install_and_Upgrade.Gaia.iso)		 17 Sep 2018
  (TGZ)

 

Security Gateway Images

Version and included Take of
Jumbo Hotfix Accumulator		 Date Link to
Blink Image
R80.10 (GA Take 462) with R80.10 Jumbo Hotfix Take 103 10 Oct 2018  (TGZ)
R80.10 (GA Take 462) 10 Oct 2018  (TGZ)
R77.30 GA (with SHA-2 support)
(Based on Check_Point_R77.30_Install_and_Upgrade.Gaia.iso)		 10 Oct 2018  (TGZ)
R77.30 GA with SHA-2 support and R77.30 Jumbo Hotfix Take 302
(Based on Check_Point_R77.30_Install_and_Upgrade.Gaia.iso)		 10 Oct 2018  (TGZ)
R77.30 GA
(Based on Check_Point_R77.30_3000_5000_15000_23000_Sandblast_Appliances.iso)		 10 Oct 2018  (TGZ)
R77.30 GA with R77.30 Jumbo Hotfix Take 302
(Based on Check_Point_R77.30_3000_5000_15000_23000_Sandblast_Appliances.iso)		 10 Oct 2018  (TGZ)


Archived Images

The following images were removed from this article. Contact Check Point Support to obtain the archived images.

Version and included Take of
Jumbo Hotfix Accumulator		 Date
R80.10 (GA Take 462) with R80.10 Jumbo Hotfix Take 70 19 Mar 2018
R80.10 (GA Take 421) 24 Jan 2018
R80.10 (GA Take 421) with R80.10 Jumbo Hotfix Take 56 24 Jan 2018
R77.30 GA with SHA-2 support and R77.30 Jumbo Hotfix Take 292
(Based on Check_Point_R77.30_Install_and_Upgrade.Gaia.iso)		 24 Jan 2018
R77.30 GA with R77.30 Jumbo Hotfix Take 292
(Based on Check_Point_R77.30_3000_5000_15000_23000_Sandblast_Appliances.iso)		 24 Jan 2018

 


Latest Blink Updates

Description Date Link to download
R80.10 Update package 6 Sep 2018  (TGZ)
R77.30 Update package 6 Sep 2018  (TGZ)

 

Notes:

  • Additional Blink Images will be added when they become available.

  • To check if a custom Blink image that includes specific ad-hoc hotfixes can be created, you can contact Check Point Support.

  • Explanation about the downloads:

    • Blink utility - The main utility that extracts the Blink Image and other packages, and installs them.

    • Blink Image - The Gaia OS image. For details, refer to section "(4) Blink image".

    • Blink Image updates - Optional package with updated binary files for various Agents and
      updated signatures for Software Blades. For details, refer to section "(5) Blink image updates".

 

Show / Hide this Section

Blink image contains:

  1. The root partition of a pre-installed Check Point appliance
  2. Simplified First Time Configuration Wizard (will be used in case of attended installation)
  3. Installation logic

Example of extracted Blink image:

[Expert@gw-b96a5d:0]# ls -lha
total 2.2G
drwx------ 6 admin root 4.0K Sep 17 04:48 .
drwx------ 4 admin root 4.0K Sep 17 04:48 ..
-rwxr-xr-x 1   105   80 2.2M Sep 17 03:00 BlinkInstaller
-rw-r--r-- 1   105   80  758 Sep 17 03:00 BlinkInstaller.config
-rw-r--r-- 1   105   80  512 Sep 17 03:00 BlinkInstaller.sha256
-rwxr-xr-x 1   105   80 2.2G Sep 17 03:00 CheckPoint_Gaia_fd.tgz
-rw-r--r-- 1   105   80  512 Sep 17 03:00 CheckPoint_Gaia_fd.tgz.sha256
drwxr-xr-x 2   105   80 4.0K Sep 17 03:00 blades_updates
drwxr-xr-x 2   105   80 4.0K Sep 17 03:00 installation_logic
-rw-r--r-- 1   105   80 1.3K Sep 17 03:00 manifest.xml
-rw-r--r-- 1   105   80  512 Sep 17 03:00 manifest.xml.sha256
drwxr-xr-x 2   105   80 4.0K Sep 17 03:00 user_updates
[Expert@gw-b96a5d:0]#

where:

# Directory / File Description
1 BlinkInstaller Main executable file that extracts and installs all the packages.
2 BlinkInstaller.config Main configuration file.
3 BlinkInstaller.sha256 Check Point Signature file for the BlinkInstaller file (internal).
4 CheckPoint_Gaia_fd.tgz This is the actual installation image.
5 CheckPoint_Gaia_fd.tgz.sha256 Check Point Signature file for the installation image CheckPoint_Gaia_fd.tgz.
6 blades_updates Empty directory that may contain Blink Image updates package:
  • blink_updates_<OSVERSION>.tgz
For details, refer to section "(5) Blink image updates".
7 installation_logic Directory that contains internal installation logic:
  • answers.xml - User's configuration file for unattended installation.
  • fd_wizard_gateway.sh - (Internal) Shell script for unattended First Time Configuration Wizard.
  • fd_wizard_gateway.sh.sha256 - (Internal) Check Point Signature file for the fd_wizard_gateway.sh script.

Note: The answers.xml is the only file that user is allowed to modify -
refer to section "(7-A) How to configure the Blink mechanism - The answers.xml file".
8 manifest.xml XML-based file that represents the structure of the Blink package (internal).
9 manifest.xml.sha256 Check Point Signature file for the manifest.xml file (internal).
10 user_updates Directory that may contain user shell scripts and binary files that should be
executed and installed during the main installation process (after the reboot).
The answers.xml file has to be edited to contain the name of the main shell script that will be executed
(refer to section "(7-A) How to configure the Blink mechanism - The answers.xml file").

 

Blink image updates is a separate package called blink_updates_<OSVERSION>.tgz.

This optional package contains:

  • Updated binary files for various Agents:
  • Updated signatures for Software Blades:
    • Application Control + URL Filtering
    • Protocol Detection (in R80.10 and above)
    • HTTPS Inspection

 

Important Note: Blink mechanism is intended only for cleanly installed Check Point appliances, on which Check Point software has been installed (new Check Point appliance, or after restoring to factory defaults), but the First Time Configuration Wizard has not been run yet.

Action plan (basic mode only):

  1. Download all the required (and optional) files from the "(3) Downloads" section.
  2. Transfer all the files to the appliance (to a newly created directory).
  3. Execute the Blink utility (reboot will be performed automatically).
  4. Connect with your web browser to the Check Point appliance to complete the First Time Configuration Wizard.

Detailed instructions:

  1. Download all the required (and optional) files from the "(3) Downloads" section to your computer:

    1. Download the Blink utility
    2. Download the Blink image
    3. (Optional) Download the Blink Image updates package

  2. Connect to the command line on the Check Point appliance.

  3. Log in to the Expert mode.

  4. Create some directory on the /var/log/ partition (largest partition):

    [Expert@HostName:0]# mkdir -v /var/log/MyDIR

  5. Transfer all the files from your computer to the newly created directory on the appliance.

    • Either transfer the files over SCP (recommended).

      Note: This requires changing the default shell of the admin user from /etc/cli.sh to /bin/bash
      (by running the "set user admin shell /bin/bash" command in Gaia Clish - refer to Gaia Administration Guide (R77.X, R80.10))

    • Or transfer the files to a USB storage device and mount it on Gaia OS.

      Note: This requires working in the Expert mode. In addition, refer to sk31657.

  6. Go to the newly created directory:

    [Expert@HostName:0]# cd /var/log/MyDIR

  7. Unpack the Blink utility package:

    [Expert@HostName:0]# tar -zxvf blink.tgz

  8. Assign the execute permission to the Blink utility:

    [Expert@HostName:0]# chmod -v +x blink

  9. Execute the Blink utility by running the desired basic flow:

    [Expert@HostName:0]# ./blink [-i <path to Blink Image>] [-b <path to Blink Image updates package>] [-u <path to user TGZ file>] [-a <path to answer.xml file>] [-d <output directory>] [-x]

    where:

    Argument Description
    -i <path to Blink Image> Specifies the path to the Blink image.

    If this path is not specified explicitly, then Blink will search in the current working directory
    for a file with prefix blink_image.
    -b <path to Blink Image updates package> Specifies the path to the Blink Image updates package (blink_updates_<OSVERSION>.tgz).

    If this path is not specified explicitly, then Blink will search in the current working directory
    for a file blades_updates_<OSVERSION>.tgz.
    -u <path to user TGZ file> Specifies the path to the user TGZ file that contains user shell scripts and binary files
    that should be executed and installed during the main installation process.

    If this path is not specified explicitly, then Blink will search in the current working directory
    for a file blink_custom_content.tgz.

    Note: The package blink_custom_content.tgz must contain the main shell script as specified
    in the answers.xml configuration file (by default, Blink will search for the script install_content.sh -
    refer to section "(7-A) How to configure the Blink mechanism - The answers.xml file").
    -a <path to answer.xml file> Specifies the path to the user's configuration file for unattended installation (if needed).
    Refer to section "(7-A) How to configure the Blink mechanism - The answers.xml file".
    -d <output directory> Specifies the output directory, into which the Blink image and all the other packages should be extracted.

    If this path is not specified explicitly, then the Blink image and all the other packages will be extracted
    into the /var/log/blink/launcher/files directory.
    -x Specifies that Blink image should be only extracted, skipping the installation.

    This option is for advanced users that wish to configure an unattended installation - refer to Step 9 below.
    --reimage Using this flag will allow installation on machines that are already configured (performed First Time Wizard). By default, a snapshot of the old partition is saved, unless --delete-old-partition flag is supplied. 
    --delete-old-partition  Removes the old partition. Does not override the --keep-old-partition flag. 
    --keep-old-partition  A snapshot of the old partition is saved if this flag is on, 

    Example commands and their results:

    1. Extract the Blink image and Blink Image updates package into a temporary directory and start the main installation process, keeping the old partition as a snapshot:

      [Expert@HostName:0]# ./blink [-i <path to Blink Image>] [-b <path to Blink Image updates package>] [-u <path to user TGZ file>] [-a <path to answer.xml file>] --keep-old-partition

      1. A temporary directory /var/log/blink/launcher/files will be created.
      2. The Blink Image will be extracted
        to the /var/log/blink/launcher/files/ directory.
      3. The Blink Image updates package blink_updates_<OSVERSION>.tgz will be copied
        to the /var/log/blink/launcher/files/blades_updates/ directory.
      4. The user update shell script and binary files will be copied
        to the /var/log/blink/launcher/files/user_updates/ directory.
      5. The main installation process will be started.
      6. A snapshot of the old partition will be saved.

    2. Extract the Blink image and Blink Image updates package into a specified directory and start the main installation process, on an already configured machine, and NOT saving the old partition as snapshot:

      [Expert@HostName:0]# ./blink [-i <path to Blink Image>] [-b <path to Blink Image updates package>] [-u <path to user TGZ file>] [-a <path to answer.xml file>] -d <output directory> --reimage --delete-old-partition

      1. The Blink Image will be extracted in the specified output directory.
      2. The Blink Image updates package blink_updates_<OSVERSION>.tgz will be copied to the specified output directory.
      3. The user update shell script and binary files will be copied to the specified output directory.
      4. The main installation process will be started.
      5. Validation for a configured machine will be skipped.
      6. A snapshot of the old partition will NOT be created.

    3. Extract the Blink image into a a specified directory and do NOT start the main installation process:

      [Expert@HostName:0]# ./blink [-i <path to Blink Image>] -x -d <output directory>

      1. The Blink Image will be extracted to the specified output directory.
        If the output directory is not specified, then it will be extracted to the temporary directory /var/log/blink/launcher/files/.
      2. The main installation process will NOT be started.

  10. For advanced users that wish to configure custom settings:

    1. Extract and configure the Blink image:

      1. Extract all the files from the Blink image (to get access to the internal configuration files) -
        either to the temporary directory /var/log/blink/launcher/files/, or to the specified directory:

        [Expert@HostName:0]# ./blink [-i <path to Blink Image>] -x [-d <output directory>]

      2. Configure the desired settings in the installation_logic/answers.xml file -
        refer to the "(7) How to configure the Blink mechanism" section.

    2. Add the Blink Image updates package:

      1. Add the package blades_updates/blink_updates_<OSVERSION>.tgz

    3. Extract the desired user packages:

      1. Extract the desired user packages to the user_updates directory.

        Note: If the main user shell script is not called install_content.sh, then make sure it matches the script defined
        in the installation_logic/answers.xml file (refer to section "(7-A) How to configure the Blink mechanism - The answers.xml file").

    4. Start the main installation process:

      [Expert@HostName:0]# cd /path_to_extracted_Blink_Image/

      [Expert@HostName:0]# ./BlinkInstaller

  11. You can monitor the Blink installation process in two ways (until the appliance is rebooted automatically):

    • Query the current state by running one of these commands:

      [Expert@HostName:0]# ./BlinkInstaller -status <json | full | id>

      where:

      Option Description
      ./BlinkInstaller -status json

      Returns the last recorded status in JSON format.

      Example:

      [Expert@HostName:0]# ./BlinkInstaller -status json
{
   "isCompleted" : "true",
   "stageEndTime" : "5:0:4",
   "stageID" : "finish_message",
   "stageName" : "BlinkInstaller Installation",
   "stageStartTime" : "4:56:39",
   "state" : "Success",
   "statusDescription" : "The installation has finished successfully and is pending reboot!"
}
      ./BlinkInstaller -status full

      Returns the last recorded status in a single-string representation.

      Example:

      [Expert@HostName:0]# ./BlinkInstaller -status full
      BlinkInstaller Installation - The installation has finished successfully and is pending reboot! - Success [Started at: 4:56:39] [Ended at:5:0:4]
      ./BlinkInstaller -status id

      Returns the last status recorded identifier as a string.

      Example:

      [Expert@HostName:0]# ./BlinkInstaller -status id
      finish_message

    • Check the output files:

      File >Path
      Log file /var/log/blink/logs_<DATE>/Main_log.elg
      Status file /var/log/blink/status.txt

  12. Reboot will be performed automatically.

  13. Connect with your web browser to the Check Point appliance to complete the First Time Configuration Wizard (basic mode only).

    Example of First Time Configuration Wizard after attended installation:

 

Show / Hide this Section
  • File Description:
    This is an XML-based file (located in the installation_logic directory) that contains user's configuration for unattended installation.

  • The answers.xml version 1.1 default file 

    Show / Hide this Section

    • Default File: 
      	<properties xmlVersion="1.1">
		<installation>
			<reboot_delay>10</reboot_delay>
		</installation>		
		<machine_configuration>
			<perform>false</perform>
			<hostname>GWOBJECT_NAME_FIELD</hostname>
			<password_hash>PASSWORD_HASH_FIELD</password_hash>
			<network>
				<ipv4addr>IPV4_FIELD</ipv4addr>
				<masklength>IPV4_MASKLENGTH_FIELD</masklength>
				<interface>IPV4_INTERFACE_FIELD</interface>
				<default_gw>DEFAULTGW_FIELD</default_gw>
			</network>
			<role_configuration>
				<gateway>
					<!--  activation_key must be in base64 encoding -->
					<activation_key>SIC_BASED64_FIELD</activation_key>
					<cluster>false</cluster>
				</gateway>
				<management>
					<credentials>
						<use_gaia_admin>true</use_gaia_admin>
						<!--  Relevant only if use_gaia_admin is false -->
						<admin_name>MGMT_ADMIN_FIELD</admin_name>
						<!--  admin_password must be in base64 encoding -->
						<admin_password>MGMT_PASS_BASED64_FIELD</admin_password>
					</credentials>
				</management>				
			</role_configuration>
			<send_data_to_usercenter>true</send_data_to_usercenter>
			<enable_download_from_checkpoint>true</enable_download_from_checkpoint>
		</machine_configuration>		
		<user_updates>
			<entry_point>install_content.sh</entry_point>
		</user_updates>	
		
		<!--
		logging - Used in order to filter the logs saved to files, displayed on the screen or sent to the syslog.
		Supported logging levels: DEBUG, NORMAL, ERROR, ALWAYS, NEVER
		Colors - Should be set to true for displaying log messages in color on the screen.
		-->
		<logging>
			<file_level>DEBUG</file_level>
			<screen_level>NORMAL</screen_level>
			<sys_log_level>NEVER</sys_log_level>
			<colors>true</colors>
		</logging>		
	</properties>

      •  

    • Supported XML elements:

      The root XML element is "properties".

      Enter the string to filter this table:

      Section Sub-Section XML element Description
      <installation>   <reboot_delay> Specifies the delay (in seconds) before rebooting the appliance after completing the installation process.
      The default delay is: 10
      To suppress the reboot completely, define the value -1 (not recommended).
      <machine_configuration>   <perform>

      Specifies the whether to perform the unattended installation or not:

      • true - perform the unattended installation
      • false - (default) do not perform the unattended installation (other elements in the <machine_configuration> sub-section will be ignored)
        <hostname> Specifies the appliance's HostName to configure during the unattended installation.
        <password_hash> Specifies the appliance's admin password to configure during the unattended installation. 
      • hash value of the password string (e.g., 72ae25495a7981c40622d49f9a52e4f
        1565c90f048f59027bd9c8c8900d5c3d8)

        Run the following command in the Expert mode to get the hash value of the admin password from the configured system (must use the same Gaia OS version):
        • Either run:
          dbget passwd:admin:passwd
        • Or run:
          grep admin /etc/shadow | cut -d: -f2
      <network>    This sub-section specifies the network interface configurations that will apply during the unattended installation 
      <network>  <ipv4addr> Specifies the appliance's IPv4 address (X.X.X.X) to configure during the unattended installation 
      <network> <masklength> Specifies the appliance's IPv4 address subnet mask length (0-32) to configure during the unattended installation. 
      <network>  <interface>  Specifies the appliance's main management interface to configure during the unattended installation 
      <network> <default_gw>  Specifies the appliance's default gateway to configure during the unattended installation. 
      <role_configuration>  

      This sub-section specifies the role-based configurations that will apply during the unattended installation
      <gateway>  

      This sub-section specifies the Security Gateway related configurations
        <activation_key> Specifies the appliance's SIC one-time key to configure during the unattended installation. SIC key must be provided in base64 encoding
        <cluster> Flag that specifies whether to enable cluster membership for the gateway or not 
      <management>   This sub-section specifies the Security Management related configurations 
        <credentials> This sub-section specifies the credentials for the Security Management administrator 
        <credentials> 
       <use_gaia_admin>      		 Constant flag that specifies whether to use the Gaia credentials as the Security Management administrator or define a new administrator:
      • true - (default) use the Gaia credentials 
      • false - define a new administrator
        <credentials>
       <admin_name>      		 Specifies the username for the Security Management administrator. 
      Relevant only if use_gaia_admin set to “false”

      		<credentials>
       <admin_password>       		 Specifies the password for the Security Management administrator. Password must be provided in base64 encoding.
      Relevant only if use_gaia_admin set to “false” 
      <send_data_to_usercenter>     Consent flag that specifies whether the appliance is allowed to send various statistics data to Check Point Cloud (refer to sk111080): 
      • true - (default) send various statistics data to Check Point Cloud
      • false - do not send various statistics data to Check Point Cloud
      <enable_download_from_checkpoint>     Consent flag that specifies whether the appliance is allowed to download various data (updates, latest packages, contracts, etc.) from Check Point Cloud (refer to sk111080): 
      • true - (default) download various data from Check Point Cloud
      • false - do not download various data from Check Point Cloud
      <user_updates>   <entry_point> 

      Specifies the main executable user shell script to call during the unattended installation, which will perform the desired operations. The default script name is: install_content.sh 

      Example:

      The "user_updates" directory contains:

      • The main user shell script install_content.sh with the following commands:

        #!/bin/bash
        Log_File="/var/log/user_main_script.log"
        echo "Configuring Mgmt interface..." >> $Log_File
        clish -i -s -f "clish_commands.txt" >> $Log_File
        echo "Installing private RPMs..." >> $Log_File
        rpm -ihv some_private_RPM.rpm >> $Log_File
        exit 0

      • The file with relevant Gaia Clish commands clish_commands.txt:

        lock database override
        set interface Mgmt auto-negotiation off
        set interface Mgmt state on
        set interface Mgmt link-speed 100M/full
        set interface Mgmt ipv4-address 192.168.1.1 subnet-mask 255.255.255.0

      • User RPM package some_private_RPM.rpm
      <logging> <file_level>

      Specifies the desired priority to filter the log entries saved in the main log file /var/log/blink/logs_<DATE>/Main_log.elg (order below is from highest to lowest priority):

      1. DEBUG (default)
      2. NORMAL
      3. ERROR
      4. ALWAYS
      5. NONE

      For example, if "file_level" is set to "ERROR", then messages marked as "Debug" and "Normal" will not be written to the log file - only messages marked as "Errors" and "Always" will be written to the log file.

      If "file_level" is set to "NONE", then no messages will be written to the log file.
      <screen_level>  

      Specifies the desired priority to filter the log entries displayed on the screen (order below is from highest to lowest priority):

      1. DEBUG
      2. NORMAL (default)
      3. ERROR
      4. ALWAYS
      5. NONE

      For example, if "screen_level" is set to "ERROR", then messages marked as "Debug" and "Normal" will not be displayed on the screen - only messages marked as "Errors" and "Always" will be displayed on the screen.

      If "screen_level" is set to "NONE", then no messages will be displayed on the screen.
      <sys_log_level>  

      Specifies the desired priority to filter the log entries sent to Syslog server (order below is from highest to lowest priority):

      1. DEBUG
      2. NORMAL
      3. ERROR
      4. ALWAYS
      5. NONE (default)

      For example, if "sys_log_level" is set to "ERROR", then messages marked as "Debug" and "Normal" will not be sent to Syslog server - only messages marked as "Errors" and "Always" will be sent to Syslog server.

      If "sys_log_level" is set to "NONE", then no messages be sent to Syslog server.
      <colors>

      Specifies the whether to use colors on the screen or not
      (refer to the <screen_level>):

      • true - (default) use colors on the screen
      • false - do not use colors on the screen

      •  

    • Management example file:

      <properties xmlVersion="1.1">
   <installation>
       <reboot_delay>10</reboot_delay>
   </installation>

   <machine_configuration>
      <perform>false</perform>
      <hostname>MyGW123</hostname>
      <password_hash>$1$Es1wXWZ8$vVK0iT0nXRiGdYZ9zb6ah/</password_hash>         
               <network>      
              <ipv4addr>192.168.1.22</ipv4addr>
              <masklength>24</masklength>
              <interface>Mgmt</interface>
              <default_gw>192.168.1.254</default_gw>
            </network>      
      <role_configuration>
                   <gateway>
                         <!--        activation_key must be in base64 encoding -->
                               <activation_key>SIC_BASED64_FIELD</activation_key> 
                         <cluster>false</cluster>
                  </gateway>
               <management>
      		<credentials>      
     			 <use_gaia_admin>false</use_gaia_admin>
             			 <!--  Relevant only if use_gaia_admin is false -->
                               <admin_name>myadmin</admin_name>
                               <!--  admin_password must be in base64 encoding -->

                    <admin_password>YWRtaW5wYXNzMTIz</admin_password>
          		</credentials>
            </management>      
      </role_configuration>
   <send_data_to_usercenter>true</send_data_to_usercenter>
    <enable_download_from_checkpoint>true</enable_download_from_checkpoint>
          </machine_configuration>
   <user_updates>
      <entry_point>install_content.sh</entry_point>
   </user_updates>

   <!--
      logging - Used in order to filter the logs saved to files, displayed on the screen or sent to the syslog.
      Supported logging levels: DEBUG, NORMAL, ERROR, ALWAYS, NEVER
      Colors - Should be set to true for displaying log messages in color on the screen.
   -->
   <logging>
      <file_level>DEBUG</file_level>
      <screen_level>NORMAL</screen_level>
      <sys_log_level>NEVER</sys_log_level>
      <colors>true</colors>
   </logging>

</properties>


  • The answers.xml xml version 1.0 (for old Blink Security Gateway images) file 
    Show / Hide this Section

    • Default File: 
      <?xml version="1.0" encoding="UTF-8"?>
<properties xmlVersion="1.0">
  <installation>
     <reboot_delay>10</reboot_delay>
  </installation>
<machine_configuration>
	<perform>false</perform>
	<hostname>GWOBJECT_NAME_FIELD</hostname>
	<password>
		<value>PASSWORD_FIELD</value>
		<is_hash>true</is_hash>
	</password>
	<network>
		<ipv4addr>IPV4_FIELD</ipv4addr>
		<masklength>IPV4_MASKLENGTH_FIELD</masklength>
		<interface>IPV4_INTERFACE_FIELD</interface>
		<default_gw>DEFAULTGW_FIELD</default_gw>
	</network>
	<activation_key>SIC_FIELD</activation_key>
	<cluster>false</cluster>
	<send_data_to_usercenter>true</send_data_to_usercenter>
	<enable_download_from_checkpoint>true</enable_download_from_checkpoint>
      </machine_configuration>     

  <user_updates>
     <entry_point>install_content.sh</entry_point>
  </user_updates>

   <!--
      logging - Used in order to filter the logs saved to files, displayed on the screen or sent to the syslog.
      Supported logging levels: DEBUG, NORMAL, ERROR, ALWAYS, NEVER
      Colors - Should be set to true for displaying log messages in color on the screen.
   -->
   <logging>
      <file_level>DEBUG</file_level>
      <screen_level>NORMAL</screen_level>
      <sys_log_level>NEVER</sys_log_level>
      <colors>true</colors>
</logging>
</properties>

      •  

    • Supported XML elements:

      The root XML element is "properties".

      Enter the string to filter this table:

      Section Sub-Section XML element Description
      <installation>   <reboot_delay> Specifies the delay (in seconds) before rebooting the appliance after completing the installation process.
      The default delay is: 10
      To suppress the reboot completely, define the value -1 (not recommended).
      <machine_configuration>   <perform>

      Specifies the whether to perform the unattended installation or not:

      • true - perform the unattended installation
      • false - (default) do not perform the unattended installation (other elements in the <machine_configuration> sub-section will be ignored)
        <hostname> Specifies the appliance's HostName to configure during the unattended installation.
      <password>   This sub-subsection specifies the appliance's admin password to configure during the unattended installation.
      <password> <value>

      Specifies the appliance's admin password string:

      • either plain-text string (e.g., password123)

      • or hash value of the password string (e.g., 72ae25495a7981c40622d49f9a52e4f1565c90f048f59027bd9c8c8900d5c3d8)

        Run the following command in the Expert mode to get the hash value of the admin password from the configured system (must use the same Gaia OS version):

        • Either run:

          dbget passwd:admin:passwd

        • Or run:

          grep admin /etc/shadow | cut -d: -f2
      <password> <is_hash>

      Specifies how the appliance's admin password string was defined in the <value> element:

      • false - the defined appliance's admin password string is a plain-text string
      • true - (default) the defined appliance's admin password string is a hash value of the password string
      <network>   This sub-section specifies the network interface configurations that will apply during the unattended installation 
      <network> <ipv4addr> Specifies the appliance's IPv4 address (X.X.X.X) to configure during the unattended installation.
      <network> <masklength> Specifies the appliance's IPv4 address subnet mask length (0-32) to configure during the unattended installation.
      <network> <interface> Specifies the appliance's main management interface to configure during the unattended installation.
      <network> <default_gw> Specifies the appliance's default gateway to configure during the unattended installation.

      		<activation_key> Specifies the appliance's SIC one-time key to configure during the unattended installation.
        <cluster> Flag that specifies whether to enable cluster membership for the gateway or not.
        <send_data_to_usercenter>

      Consent flag that specifies whether the appliance is allowed to send various statistics data to Check Point Cloud (refer to sk111080):

      • true - (default) send various statistics data to Check Point Cloud
      • false - do not send various statistics data to Check Point Cloud
        <enable_download_from_checkpoint>

      Consent flag that specifies whether the appliance is allowed to download various data (updates, latest packages, contracts, etc.) from Check Point Cloud (refer to sk111080):

      • true - (default) download various data from Check Point Cloud
      • false - do not download various data from Check Point Cloud
      <user_updates>   <entry_point> Specifies the main executable user shell script to call during the unattended installation, which will perform the desired operations.
      The default script name is: install_content.sh

      Example:

      The "user_updates" directory contains:

      1. The main user shell script install_content.sh with the following commands:

        #!/bin/bash
        Log_File="/var/log/user_main_script.log"
        echo "Configuring Mgmt interface..." >> $Log_File
        clish -i -s -f "clish_commands.txt" >> $Log_File
        echo "Installing private RPMs..." >> $Log_File
        rpm -ihv some_private_RPM.rpm >> $Log_File
        exit 0
         

      2. The file with relevant Gaia Clish commands clish_commands.txt:

        lock database override
        set interface Mgmt auto-negotiation off
        set interface Mgmt state on
        set interface Mgmt link-speed 100M/full
        set interface Mgmt ipv4-address 192.168.1.1 subnet-mask 255.255.255.0

      3. User RPM package some_private_RPM.rpm
      <logging>   <file_level>

      Specifies the desired priority to filter the log entries saved in the main log file /var/log/blink/logs_<DATE>/Main_log.elg (order below is from highest to lowest priority):

      1. DEBUG (default)
      2. NORMAL
      3. ERROR
      4. ALWAYS
      5. NONE

      For example, if "file_level" is set to "ERROR", then messages marked as "Debug" and "Normal" will not be written to the log file - only messages marked as "Errors" and "Always" will be written to the log file.

      If "file_level" is set to "NONE", then no messages will be written to the log file.
        <screen_level>

      Specifies the desired priority to filter the log entries displayed on the screen (order below is from highest to lowest priority):

      1. DEBUG
      2. NORMAL (default)
      3. ERROR
      4. ALWAYS
      5. NONE

      For example, if "screen_level" is set to "ERROR", then messages marked as "Debug" and "Normal" will not be displayed on the screen - only messages marked as "Errors" and "Always" will be displayed on the screen.

      If "screen_level" is set to "NONE", then no messages will be displayed on the screen.
        <sys_log_level>

      Specifies the desired priority to filter the log entries sent to Syslog server (order below is from highest to lowest priority):

      1. DEBUG
      2. NORMAL
      3. ERROR
      4. ALWAYS
      5. NONE (default)

      For example, if "sys_log_level" is set to "ERROR", then messages marked as "Debug" and "Normal" will not be sent to Syslog server - only messages marked as "Errors" and "Always" will be sent to Syslog server.

      If "sys_log_level" is set to "NONE", then no messages be sent to Syslog server.
        <colors>

      Specifies the whether to use colors on the screen or not
      (refer to the <screen_level>):

      • true - (default) use colors on the screen
      • false - do not use colors on the screen

    • Example File:

      <?xml version="1.0" encoding="UTF-8"?>

<properties xmlVersion="1.0">
   <installation>
       <reboot_delay>10</reboot_delay>
   </installation>

   <machine_configuration>
      <perform>true</perform>
      <hostname>MyGW123</hostname>
      <password>
         <value>mypassword</value>
         <is_hash>false</is_hash>
      </password>
            <network>      
      <ipv4addr>192.168.1.22</ipv4addr>
      <masklength>24</masklength>
      <interface>Mgmt</interface>
      <default_gw>192.168.1.254</default_gw>
            </network>      
      <activation_key>12345</activation_key>
           <cluster>true</cluster>      
      <send_data_to_usercenter>true</send_data_to_usercenter>
      <enable_download_from_checkpoint>true</enable_download_from_checkpoint>
   </machine_configuration>

   <user_updates>
      <entry_point>install_content.sh</entry_point>
   </user_updates>

   <!--
      logging - Used in order to filter the logs saved to files, displayed on the screen or sent to the syslog.
      Supported logging levels: DEBUG, NORMAL, ERROR, ALWAYS, NEVER
      Colors - Should be set to true for displaying log messages in color on the screen.
   -->
   <logging>
      <file_level>DEBUG</file_level>
      <screen_level>NORMAL</screen_level>
      <sys_log_level>NEVER</sys_log_level>
      <colors>true</colors>
   </logging>
</properties>

 

(9) Limitations

Show / Hide the Limitations table

ID Symptoms
- Default value for "Management GUI Clients" property is set to "Any"
DP-2884 After upgrading to R80.20, using Blink images to downgrade is prohibited.
  • Use "revert to snapshot" in order to return to the old version 
DP-1644 Reimage: Blink reimage is blocked from running on VSX machines.
DP-1681

No automatic Cleanup in case of un-normal progress interruption (power problem, early reboot, etc...).
In case interruption, perform the following (in expert mode):

  • Unmount blink new partition. Run:
    umount /mnt/fcd/proc /mnt/fcd/sys /mnt/fcd/dev /mnt/fcd/var/log /mnt/fcd/tmp /mnt/fcd /mnt/BlinkPlugAndPlay_usb
  • Remove blink new partition: lvremove /dev/vg_splat/lv_fcd_new 
  • Re-run the process
-

Running Blink on software RAID appliances is prohibited

  • Resolved in image released on 24 Jan 2018 

 

(10) Revision History

Show / Hide revision history

Date Description
14 Oct 2018 Security Gateway Images have been replaced
17 Sep 2018 Added Blink Security Management Images and new answers.xml file instructions
18 Jul 2018 Added the "Deploying Check Point NG Firewalls just got easier with the Blink utility" video
14 May 2018 Added Blink Image for R80.10 Jumbo Hotfix Take 103 and R77.30 Jumbo Hotfix Take 302
07 May 2018 Updated the How to use the Blink mechanism section
19 Mar 2018 Added Blink Image for R80.10 Jumbo Hotfix Take 70
24 Jan 2018 All images were updated to support software RAID appliances
21 Jan 2018 Added Blink Image for R80.10 (GA Take 462)
31 Dec 2017 First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment