Support Center > Search Results > SecureKnowledge Details
How to install SecurePlatform / Gaia from a USB device on Check Point appliance and Open Servers using ISOmorphic Tool
Solution

Important: Effective December 18th, 2016, ISOmorphic package has been updated.

 

Introduction

ISOmorphic is the Check Point utility used for creating a bootable USB device, capable of installing Gaia / SecurePlatform OS on Check Point appliances and Open Servers.
For USB installation on IP Series Appliances, refer to sk83200 - Gaia installation on IPSO-based IP Series appliances from USB storage device. For the list of USB flash keys that are known to work with ISOmorphic, refer to sk92423 - Which USB flash keys work with ISOmorphic.

Starting from R77.20, ISOmorphic tool supports two modes of deployments - Regular and Unattended. Unattended deployment is a way to install the Gaia/SecurePlatfrom on the appliance without a need for interaction from the user performing the installation.

This tool can be used as well to prepare Hardware diagnostic USB DoK. See sk97251 - Using the Check Point Appliance Hardware Diagnostic Tool for more info on the Hardware diagnostic tool.

Notes:

  • Check Point does not enforce the usage of ISOmorphic, which is provided as a utility to make the installation easier. Note however, that Check Point has developed and verified the ISOmorphic tool to work with all Check Point appliances (excluding IP Series Appliances).
  • Customers can use any tool they want to format their flash keys.

 

Table of Contents

  • What's New?
  • Limitations
  • Preparing USB device for Deployment
  • Installing Gaia/SecurePlatform OS on the Appliance/Open Server using the USB device
  • Related solutions
  • Previous ISOmorphic Tool Article

 

What’s New?

  1. First Time Wizard configuration is included. User can choose from a template to install a Security Gateway, a Security Management, or a standalone Gateway product (Basic configuration mode).

  2. User can provide his own config_system file (see sk69701) to customize the product's configuration.

  3. User can provide ISOMorphic with several hotfixes/Jumbo HFA packages. 

  4. User can provide a clish script to run after ISO installation.

  5. Open Servers are supported (including Unattended mode).

  6. The tool will not be closed after completing, allowing one to burn multiple usb sticks w/o having to configure it all again.


Limitations

Description
ISOmorphic can be used for fresh install only.
VSX NGX R67.10 ISO is not supported.
IPSO OS is not supported.
Only Gaia R77.20 and above are supported (no backward compatibility).
New features are not supported on SecurePlatform OS.
VMWare Virtual Machines are not supported.
IP Series Appliances are not supported (see sk 83200).
Only public HotFixes and Jumbo HotFixes were tested. Тest private HotFixes before deploying them to a new machine.
Basic networking can be preconfigured only for Gaia R77.20 and above, and only for Check Point appliances.
Basic/Advanced configuration and HFs installation (Enhanced ISOMorphic) are available only on 3000 / 5000 / 15000 / 23000 appliances with their R77.30 Gaia Clean Install package.

 

Preparing USB device for Deployment

Download and run the ISOmorphic tool

  1. In the 'Select source ISO file' field, browse for the Gaia / SecurePlatform ISO file.

     

  2. Press ‘Configure’ in order to configure your devices. 

     

    1. If you want to make this USB installation valid for any CheckPoint appliance, double-click the default entry (Any), or click the 'Add' button for a specific appliance. 



    2. Type the MAC address of the device you want to install (in case of a specific device).



    3. Choose your configuration type. This can be Basic, Advanced, Manual:

      • Basic: You will be able to use pre-defined templates for Security Gateway, Security Management or Standalone (both). Select your product and provide the required info. This will run First Time Wizard with the requested configuration after installation.

      • Advanced: You will be able to provide a config_system configuration file of your own. This provides you with the means to install any type of Check Point product. First Time Wizard will run with the provided configuration (config_system) after installation.

      • Manual: You will be asked to perform the First Time Wizard manually after installation completes.

      Note: you can choose to provide your own SIC key (in case of gateway installation) or Administrator password (in case of Management installation) and they will be written clear-text on the usb device. By default, the device will randomize these and you'll need to access it after installation and configure them yourself by using the 'cpconfig' command.
      Starting from R80, to change the Administrator password, use the mgmt_cli set administrator command. Refer to Management API Reference.



    4. Configure network access to your device: Hostname, IP address, Default gateway and administrator password:



    5. Select the ‘Additional OS configuration’ checkbox if you want some additional configuration to be applied after First Time Wizard (Basic/Advanced modes) or after after installation (Manual mode). This should be a valid clish script.

      Important Notes:

      • This clish script should not include any configuration that requires reboot.
      • If you install R77. 30 Jumbo HFA and use a custom clish script, you should add an empty line with a space at the end of the script. (limitation 01743542)




    6. Click OK to proceed.


  3. Select your HotFixes by clicking the ‘Select’ button.



    Click the ‘Import’ button and select your hot fixes.

    Note: These should be CPUSE packages. Order is important, make sure it is valid, or consult Check Point support site.


     
    Click OK to continue

  4. In the 'Select destination drive' field, select the USB device drive. 

     

  5. Click Go!



    • Do you want installation to be interactive or non-attendant? Select your choice:



    • If you choose an un-attendant installation, you will see the following warning:



    • This will completely erase the USB device. Type ‘yes’ if you’re sure you want to continue.



  6. The USB drive will be formatted and prepared. The progress window is displayed.



  7. Wait until all steps are complete and then unplug the USB device from your desktop computer

     

  8. Do not forget to unplug the USB device from your desktop computer after preparing it.

    Important Note: Otherwise, the local drive will be formatted without any user confirmation once your desktop is rebooted. 


 

Installing Gaia/SecurePlatform OS on the Appliance/Open Server using the USB device

  • Prepare the USB device as instructed above.

  • Make sure the Appliance/Open Server is turned off. 

  • Connect to the Appliance/Open Server over console (configure the standard connection - Rate 9600, Data Bits 8, Parity None, Stop bits 1, No Flow Control) or VGA.

  • Connect the USB device to the Appliance/Open Server. Turn on the Appliance/Open Server.

  • After booting successfully from the USB drive, the SYSLINUX window should appear:



    Note: If the machine did not boot from the USB device, then check that BIOS settings allow to boot from USB.

  • Enter the boot option according to the connection type you are using:

    1 - for booting from local hard disk
    2-12 - according to the appliance model that is installed.


Note: if no option is entered in the SYSLINUX window, then after 90 seconds the installation will continue with the default option based on the installation type that was selected when preparing the USB device:

  • If you selected ‘Show confirmation before installation begins’, then the default option is localdrive, i.e., the installation from USB device will be aborted and machine will boot from the local drive.
  • If the 'Install automatically without confirmation’ option is selected, then you've already selected one of the options in the drop-down menu. 
    Important: this option is mandatory for SandBlast appliances. Without this option emabled, machine will not boot properly:

     
  • When installation ends successfully:

    • LCD panel shows success message.

    • The interfaces blink in a round-robin fashion

    Warning: Do not forget to unplug the USB device from the Appliance. Otherwise, if you select the ‘Install automatically without confirmation’ option when preparing the USB device, the local drive will be formatted without any user confirmation once the machine is rebooted.

 


Click Here to Show / Hide the Old ISOmorphic Tool Article

 

Table of Contents:

  • General Limitations
  • Preparing USB device for Regular Deployment
  • Preparing USB device for Unattended Deployment
  • Installing Gaia / SecurePlatform OS on the Appliance / Open Server using the USB device
  • Possible errors

 

General Limitations

  • ISOmorphic can be used for fresh install only.
  • Basic networking can be preconfigured only for Gaia R77.20 and above, and only for Check Point appliances.
  • VSX NGX R67.10 ISO is not supported.

 

Preparing USB device for Regular Deployment

Regular Deployment is used to install Gaia / SecurePlatform OS interactively.

  1. Prepare the USB device with ISO file

    • Format the USB device as FAT32.  Make sure you have the Gaia ISO file corresponding to the appliance model and the relevant release. 

    • Run the ISOmorphic tool (download from here)



    • In the 'Select Source ISO file' field, browse for the Gaia / SecurePlatform ISO file.

    • In the 'Select destination drive' field, select the USB device drive.

    • In the 'Installation type' field, select 'Regular installation'.



  2. Optional (for Gaia ISO R77.20 and above): Configure basic networking to be applied on the appliance during the installation:

    Background:

    Starting in Gaia R77.20, basic networking can be preconfigured using the ISOmorphic tool. The tool saves the configuration on the USB device as an XML file, and applies it automatically on the appliance after installation.

    The ISOmorphic tool lets you save different configurations for different appliances on the same USB device.

    Each configuration object contains:

    • Interface name to be configured (default is the Management interface)
    • IPv4 address
    • Subnet mask
    • Default Gateway (optional)
    • MAC address of the Management interface of the appliance to be configured, or default.

    During the deployment, the appliance searches for its MAC address in the XML configuration file. If the MAC address is not found, then the appliance applies the default configuration.

    Configuration procedure:

    1. Click on 'Configure' button.

      Note: For Gaia / SecurePlatform ISO R77.10 and lower, this button is greyed out.

    2. The configuration window opens:

      Note: In this window, you can import a previously prepared configuration file (XML), or export the current configuration.



    3. Click on 'Add...' button to configure the basic networking settings.

      Note: Only one interface can be configured on the same appliance.

      • Select the 'Default' option.
      • Type the name for the interface name.
      • Enter the IP address.
      • Enter the subnet mask.
      • Enter the default gateway (optional).

      Example:

      Note: If you want to use the same USB device for multiple appliances, then select the 'Mgmt MAC address' option before you enter the configuration settings. When an appliance with the specified MAC address is being installed from the USB device, the pre-configured settings are applied to it. If the appliance's MAC address does not match the MAC address in the tool's configuration file, then the default settings are applied (if a default configuration exists).

    4. Click on 'OK'. You return to the previous window.

      Example:



    5. You can now reiterate and add more configurations with different MAC addresses (or default, if not configured yet).

    6. Click on 'Done' button.

    Limitations:
    1) Only Gaia R77.20 and above are supported (no backward compatibility).
    2) Only one interface can be configured on the same appliance.
    3) Only Check Point appliances are supported (excluding IP Series Appliances).
    4) New features are not supported on SecurePlatform OS.
    5) IPSO OS is not supported.
    6) Open Servers are not supported (the installation will prompt the user for the configuration).
    7) VMWare Virtual Machines are not supported (the installation will prompt the user for the configuration).



  3. In the main window, click on 'Go!' button at the bottom.

    A warning message appears. Type "yes" in the warning window to confirm the USB drive formatting, and click on 'Yes' button:



  4. The USB drive is formatted and prepared. The progress window is displayed.

    Example:



  5. Wait until all steps are complete and then unplug the USB device from your desktop computer:



  1. Continue to section "Installing Gaia / SecurePlatform OS on the Appliance / Open Server using the USB device".

 

Preparing USB device for Unattended Deployment

Unattended Deployment is used to install Gaia OS on Check Point appliances without any user input. 

 

  1. Prepare the USB device with ISO file

    1. Make sure you have the Gaia ISO file corresponding to the appliance model and the relevant release.

    2. Run the ISOmorphic tool (download from here)



    3. In the 'Select Source ISO file' field, browse for the Gaia / SecurePlatform ISO file.

    4. In the 'Select destination drive' field, select the USB device drive.

    5. In the 'Installation type' field, select the 'Unattended installation'.



    6. The following warning appears (click either 'OK', or 'Cancel'):



    7. For Gaia ISO R77.20 and above: Configure basic networking to be applied on the appliance during the installation:

      Background:

      Starting in Gaia R77.20, basic networking can be preconfigured using the ISOmorphic tool. The tool saves the configuration on the USB device as an XML file, and applies it automatically on the appliance after installation.

      The ISOmorphic tool lets you save different configurations for different appliances on the same USB device.

      Each configuration object contains:

      • Interface name to be configured (default is the Management interface)
      • IPv4 address
      • Subnet mask
      • Default Gateway (optional)
      • MAC address of the Management interface of the appliance to be configured, or default.

      During the deployment, the appliance searches for its MAC address in the XML configuration file. If the MAC address is not found, then the appliance applies the default configuration.

      Configuration procedure:

      1. Click on 'Configure' button.

        Note: For Gaia / SecurePlatform ISO R77.10 and lower, this button is greyed out.

      2. The configuration window opens:

        Note: In this window, you can import a previously prepared configuration file (XML), or export the current configuration.



      3. Click on 'Add...' button to configure the basic networking settings.

        Note: Only one interface can be configured on the same appliance.

        • Select the 'Default' option.
        • Type the name for the interface name.
        • Enter the IP address.
        • Enter the subnet mask.
        • Enter the default gateway (optional).

        Example:

        Note: If you want to use the same USB device for multiple appliances, then select the 'Mgmt MAC address' option before you enter the configuration settings. When an appliance with the specified MAC address is being installed from the USB device, the pre-configured settings are applied to it. If the appliance's MAC address does not match the MAC address in the tool's configuration file, then the default settings are applied (if a default configuration exists).

      4. Click on 'OK'. You return to the previous window.

        Example:



      5. You can now reiterate and add more configurations with different MAC addresses (or default, if not configured yet).

      6. Click on 'Done' button.

      Limitations:
      1) Only Gaia R77.20 and above are supported (no backward compatibility).
      2) Only one interface can be configured on the same appliance.
      3) Only Check Point appliances are supported (excluding IP Series Appliances).
      4) SecurePlatform OS is not supported.
      5) IPSO OS is not supported.
      6) Open Servers are not supported (the installation will prompt the user for the configuration).
      7) VMWare Virtual Machines are not supported (the installation will prompt the user for the configuration).
    8. In the main window, click on 'Go!' button at the bottom.

      A warning message appears. Type "yes" in the warning window to confirm the USB drive formatting, and click on 'Yes' button:



    9. The USB drive is formatted and prepared. The progress window is displayed.

      Example:



    10. Wait until all steps are complete:



    11. Do not forget to unplug the USB device from your desktop computer after preparing it.

      Important Note: Otherwise, the local drive will be formatted without any user confirmation once the machine is rebooted.



  2. Continue to section "Installing Gaia / SecurePlatform OS on the Appliance / Open Server using the USB device".

 

Installing Gaia / SecurePlatform OS on the Appliance / Open Server using the USB device

  1. Prepare the USB device either for Regular Deployment, or for Unattended Deployment (supported only on Check Point appliances).

  2. Make sure the Appliance / Open Server is turned off.

  3. Connect to the Appliance / Open Server over console (configure the standard connection - Rate 9600, Data Bits 8, Parity None, Stop bits 1, No Flow Control).

  4. Connect the USB device to the Appliance / Open Server.

  5. Turn on the Appliance / Open Server.

  6. After booting successfully from the USB drive, the SYSLINUX window should appear:

    Note: If the machine did not boot from the USB device, then check that BIOS settings allow to boot from USB.



  7. Enter the boot option according to the connection type you are using:

    • serial - for serial connection (i.e., console connection on Appliance / Open Server)

    • vga - for VGA or other graphic mode connection (only for Open Servers with video card)

    • localdrive - for booting from local hard disk

    • smart1 - only for installing on Smart-1 appliance and Threat Emulation appliances TE100X / TE250X / TE1000X / TE2000X

    Note: If no option is entered in the SYSLINUX window, then after 90 seconds the installation will continue with the default option based on the installation type that was selected when preparing the USB device:

    • If you selected 'Regular installation' type, then the default option is localdrive, i.e., the installation from USB device will be aborted and machine will boot from the local drive.

    • If you selected 'Unattended installation' type, then the default option is serial.


  8. If you install SecurePlatform OS, then on some SecurePlatform versions, you will be asked to select the partition from which to load the SecurePlatform ISO image:

    Note: Usually, you should select the last option on the list.

    Example for SecurePlatform OS:



  9. When the installation ends successfully, there are two indications:

    • LCD panel shows success message.

    • The interfaces blink in a round-robin fashion.


  10. Warning: Do not forget to unplug the USB device from the Appliance. Otherwise, if you have used the 'Unattended installation' type for preparing the USB device, the local drive will be formatted without any user confirmation once the machine is rebooted.

 

Unattended Deployment - Example

 
An experienced administrator prepares a USB device with configurations for an unattended R77.20 installation.

An experienced administrator sends the USB device to a remote office site.

At the remote office site, an inexperienced administrator performs the following steps:

  • Shuts down the appliance.
  • Connects the network cables to the appliance.
  • Connects to the appliance over console.
  • Connects the USB device to the appliance.
  • Turns on the appliance.
  • Waits until the installation succeeds (as shown on the LCD panel, or by blinking interfaces lights).
  • Removes the USB device from the appliance.
  • Reboots the appliance.

An experienced administrator connects remotely to the appliance over SSH, or to Gaia Portal and continues the configuration (e.g., First Time Configuration Wizard).

 

Possible errors

The following message might appear on the screen during the ISO installation:

find: /tmp/hdimage/<Name_Of_ISO_Image>.iso: Value too large for defined data type

Example:

find: /tmp/hdimage/Check_Point_R75.20_Appliance.iso: Value too large for defined data type

Root cause:

Busybox that is used for ISO installation from USB device was not compiled with 64-bit file-offsets (_FILE_OFFSET_BITS=64).
The ramdisk on the USB device mounts the ISO image, and then mounts 'stage2.img' from the ISO image, afterwards it unmounts the ISO image, and 'stage2.img' remounts the ISO.
When 'stage2.img' is running, the 'find' command complains when it sees an ISO file larger than 2 GB.

Next steps:

This message can be safely ignored. The installation completes successfully, and installed software works correctly.



Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment