Support Center > Search Results > SecureKnowledge Details
Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent
Solution

Table of Contents:

  1. Introduction
  2. System requirements and limitations
  3. Download the latest build of CPUSE Agent and What's New
  4. How to work with CPUSE
    1. How to download and import a CPUSE package
      1. Download and import instructions for Online procedure - Gaia Portal
      2. Download and import instructions for Online procedure - Gaia Clish
      3. Import instructions for Offline procedure - Gaia Portal
      4. Import instructions for Offline procedure - Gaia Clish
    2. How to install a CPUSE package
      1. Install a Hotfix package / Minor Version package
      2. Perform an upgrade to a Major Version
      3. Perform a clean install of Major Version
    3. How to uninstall a CPUSE package
    4. "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)
  5. Architecture and Design
  6. Troubleshooting and Related solutions
  7. Information about older CPUSE builds
  8. Related documentation
  9. Revision history

 

In addition, refer to sk111158 - Central Deployment Tool (CDT).

 

Click Here to Show the Entire Article

 

(1) Introduction

Show / Hide this section

Check Point Update Service Engine (CPUSE), also known as Gaia Software Updates [Agent], is an advanced and intuitive mechanism
for software deployment on Gaia OS, which supports deployments of single HotFixes (HF), of HotFix Accumulators (HFA), and of Major Versions.

Gaia Software Updates offers a Smarter, Faster and Safer deployment solution:

Smarter
  • Discover only relevant software updates
  • Reboot only if required
  • Auto authentication with Download Center
  • View hierarchy of software updates
  • E-mail notification for new updates
Faster
  • Fast download (smaller package size)
  • Fast installation
  • Short down time
Safer
  • Upgrade to next Major Version is performed on a new disk partition and preserves Gaia OS configuration
  • Automatic conflicts validation
  • Checksum validation of packages on target machine
  • Self-test after installation
  • Auto roll-back on failures

 

(2) System requirements and limitations

Show / Hide this section

Table of Contents for this section:

  1. License and contract
  2. Connection to the Internet
  3. CPUSE communication with Check Point cloud
  4. CPUSE Agent update to the latest version
  5. Upgrade
  6. Free disk space
  7. VSX Gateways
# Topic Comments
A License and contract
  • Valid license has to be installed on the target machine.
  • Valid Software Subscription or Technical Support Contract has to be associated with the license.
  • The Contract File must be installed on the target machine.
    Please allow up to 24 hours after installing the Contract File before using CPUSE.

Notes:

  1. There is a 30 days grace period upon first installation/activation of the Gaia Software Updates Agent, during which no license is needed at all.
  2. Evaluation License is not enough to enable Gaia Software Updates.
    A real valid support license is required.
    Access to Check Point Download Server is available via subscription only.
    An Evaluation License is not sufficient to grant download access from the User Center.
B Connection to the Internet
  • Gaia machine should be connected to the Internet:
    • To perform online self-update of CPUSE Agent
    • To obtain Software Updates from Check Point Cloud
    Note: The option "Automatically download Contracts and other important data (Recommended)" should be enabled
    per sk94508 (SmartDashboard - "Policy" menu - "Global Properties" - "Security Management Access").
  • Manual offline installation of CPUSE packages is available if Gaia machine is disconnected from the Internet.
C CPUSE communication with Check Point cloud

To allow CPUSE to communicate with Check Point cloud, follow the steps below in SmartDashboard.

An explicit firewall rule has to be created in the following scenarios:

# Scenario
description
Which explicit
firewall rule
to create
Traffic
Source
Traffic
Destination
Traffic
proto /
ports
Where to
install / apply
the explicit rule
1

Check Point Security Gateway running on Gaia OS, which must connect to Check Point cloud.

Implied rule "Accept outgoing packets originating from Gateway" is disabled in Policy menu - Global Properties... - FireWall pane.
Create an explicit firewall rule for this Check Point Security Gateway (see procedure below) to allow the communication between CPUSE on this Check Point Security Gateway and Check Point cloud. Check
Point
Security
Gateway
Check
Point
domains
Relevant
HTTP /
HTTPS /
DNS
traffic
Check
Point
Security
Gateway
2 Perimeter Check Point Security Gateway that protects internal Check Point machine running on Gaia OS, which must connect to Check Point cloud. Create an explicit firewall rule for the Perimeter Check Point Security Gateway (see procedure below) to allow the communication between CPUSE on internal Check Point machine and Check Point cloud. Internal
Check
Point
machine
Check
Point
domains
Relevant
HTTP /
HTTPS /
DNS
traffic
Perimeter
Check
Point
Security
Gateway
3 Perimeter non-Check Point FireWall that protects Check Point machine running on Gaia OS, which must connect to Check Point cloud. Create an explicit firewall rule (for reference, see procedure below) for this non-Check Point FireWall to allow the communication between CPUSE on internal Check Point machine and Check Point cloud. Internal
Check
Point
machine
Check
Point
domains
Relevant
HTTP /
HTTPS /
DNS
traffic
Perimeter
non-Check
Point
FireWall

Procedure for Check Point Security Gateway:

Note: For non-Check Point FireWall, the equivalent rule must be created. Related solution: sk83520.

  1. Create the following Domain objects for Check Point domains and for Akamai domain (note the dot in the beginning:

    • .updates.checkpoint.com
    • .updates.g01.checkpoint.com
    • .gwevents.checkpoint.com
    • .gwevents.us.checkpoint.com
    • .deploy.static.akamaitechnologies.com

    Instructions:

    1. Go to "Manage" menu - click on "Network Objects..."

    2. Click on "New..." button - select "Domain..."

    3. In the "Name" field, paste the name of the domain listed above (note the dot in the beginning) and click on "OK".

    4. Repeat Steps i-iii for all domains listed above.

    5. Click on "Close" button.

  2. Create the following Firewall security rule for the involved Security Gateway (use predefined services):

    Important Note: Rules with Domain Objects should be located as low as possible in the rulebase.

    For Scenario #1 - Check Point Security Gateway running on Gaia OS (and implied rule "Accept outgoing packets originating from Gateway" is disabled)

    SOURCE DESTINATION SERVICE ACTION INSTALL ON
    Check Point
    Security
    Gateway

    .updates.checkpoint.com

    .updates.g01.checkpoint.com

    .gwevents.checkpoint.com

    .gwevents.us.checkpoint.com

    .deploy.static.akamaitechnologies.com

    http

    https

    HTTP_and_HTTPS_proxy

    domain-udp

    Accept Check Point
    Security
    Gateway

    For Scenario #2 - Perimeter Check Point Security Gateway that protects internal Check Point machine

    SOURCE DESTINATION SERVICE ACTION INSTALL ON
    Internal
    Check Point
    machine

    .updates.checkpoint.com

    .updates.g01.checkpoint.com

    .gwevents.checkpoint.com

    .gwevents.us.checkpoint.com

    .deploy.static.akamaitechnologies.com

    http

    https

    HTTP_and_HTTPS_proxy

    domain-udp

    Accept Perimeter
    Check Point
    Security
    Gateway
  3. Install the policy onto involved Security Gateway.

D CPUSE Agent update to the latest version
  • On online Gaia machine (that is connected to the Internet):

    • CPUSE Agent must always be updated to the latest available version before being able to perform any action.
    • It is recommended to leave the default CPUSE Agent policy set to "Periodically update new Deployment Agent version (recommended)".
  • On offline Gaia machine (that is disconnected from the Internet), it is strongly recommended to always update the CPUSE Agent to the latest available build.

E Upgrade
  • Upgrade to a higher Major Version (e.g., from R76 to R77.X) using CPUSE will not be available on these machines/appliances:

    • EndPoint Security Servers
    • IP Appliances that were upgraded from IPSO OS to Gaia OS
    • Open Servers that were upgraded from SecurePlatform OS to Gaia OS
    • UTM-1 130 and UTM-1 270 appliances (regardless of previous OS)
  • On Security Gateway in VSX mode, upgrade via CPUSE is supported only:

  • When upgrading Gaia OS from R75.4x / R76 versions using CPUSE, these limitations apply:

    • Files saved outside of the /home directory are erased during the upgrade process.
      If you created a snapshot immediately before upgrading, you can revert to the snapshot to recover personal files saved outside of the /home directory.
    • To upgrade the Secondary Security Management Server of a Full High Availability cluster, perform a clean install and
      import the configuration using Advanced Migration (refer to the R77 Installation and Upgrade Guide).
  • Major Upgrade using CPUSE on IP Appliances running Gaia OS is supported only in Clish.

F Free disk space
  • To import a CPUSE package, the /var/log/ partition on Gaia OS must have enough free disk space - at least twice the size of the package you want to import.

    To see the amount of available disk space in /var/log/ partition, run the following command in Expert mode:

    [Expert@HostName:0]# df -h | grep -E "Avail|/var/log"
    Example:
    [Expert@Gaia:0]# df -h | grep -E "Avail|/var/log"
    Filesystem            Size  Used Avail Use% Mounted on
    11G  286M  9.9G   3% /var/log
    [Expert@Gaia]#
    
  • To upgrade to a higher Major Version, or to perform Clean Installation using CPUSE, machine must have enough unallocated (unpartitioned) disk space -
    at least as the size of the root partition.

    Run the following commands in Expert mode:

    1. Check the size of the "root" partition:

      [Expert@HostName:0]# df -h | grep -E "Avail|\/$"
      Example:
      [Expert@Gaia:0]# df -h | grep -E "Avail|\/$"
      Filesystem            Size  Used Avail Use% Mounted on
      17G  9.1G  6.6G  59% /
      [Expert@Gaia]#
      
    2. Check the amount of unallocated (unpartitioned) disk space:

      [Expert@HostName:0]# pvs
      Example:
      [Expert@Gaia:0]# pvs
      PV         VG       Fmt  Attr PSize  PFree
      /dev/sda3  vg_splat lvm2 a-   57.81G 29.81G
      [Expert@Gaia]#
      

    The unallocated disk space could be freed by removing Gaia snapshots (if any exist), and by following sk91060.

G VSX Gateways

The table below lists existing CPUSE limitations on VSX Gateways:

Version Notes
R77.X

On VSX Gateways R77.X, CPUSE supports only the following operations:

Any other package must be installed on VSX Gateways R77.X only using Legacy CLI instructions.

R80.10
  • Any package can be installed using CPUSE (Ad-hoc hotfix, Jumbo Hotfix, etc.)

 

(3) Download the latest build of CPUSE Agent and What's New

Show / Hide this section

Check Points always recommends to upgrade the CPUSE Agent to the latest available build.

Table of Contents for this section:

  1. Download the latest CPUSE build
  2. How to check the current CPUSE build
  3. How to manually install CPUSE
  4. History of older CPUSE Agent builds

(3-A) Download the latest build of the CPUSE Agent

Note: Latest build is usually gradually released to all customers. Therefore, not all machines might receive the latest build at the same time.

Build
Number
Release
Date
Status Download
Link
Integrated in What's New
1298 27 Aug 2017 Latest build -
  • Blocked R80.10 CPUSE installations on vSEC cloud environments (AWS, Azure, Google)
  • Blocked R80.10 CPUSE installations on Management Server when open sessions exist
  • Allowed Smart-1 405/410 appliances to install using CPUSE the next R80.10 build (GA replacement)
  • Support for new numbering system in crs.xml file in CPUSE packages

 

(3-B) How to check the current build of the CPUSE Agent

Where to check Instructions
In Gaia Portal
  1. Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.

    In Gaia OS R77.20 and above: In Gaia OS R77.10 and lower:
  2. Click on the "Hotfixes" link near the version.

    Example:

  3. A pop-up "Hotfixes Information" appears.
    Version (build) of the installed Deployment Agent is displayed at the bottom.

    Example:

In Gaia Clish
  1. Connect to command line on Gaia machine.

  2. Log in to Clish.

  3. Run this command:

    HostName:0> show installer status build

    Example output:

    Build number: 974 (agent build is up to date)
In Expert mode
  1. Connect to command line on Gaia machine.

  2. Log in to Expert mode.

  3. Run this command:

    [Expert@HostName:0]# cpvinfo $DADIR/bin/DAService | grep -E "Build|Minor"

    Example output:

    Build Number = 974
    Minor Release = knockout_ms1_ga

 

(3-C) How to manually install the CPUSE Agent package

Notes:

  • Updating of CPUSE (Gaia Software Updates) Agent from build 839 and above does not cause traffic outage, or cluster failover.
  • Updating of CPUSE (Gaia Software Updates) Agent from build 822 and lower might cause short traffic outage, or cluster failover. For details, refer to sk106696.

Procedure:

  1. Transfer the CPUSE Agent package (DeploymentAgent_<build>.tgz) to the machine (into some directory - e.g., /some_path_to_CPUSE/).

  2. Unpack the CPUSE Agent package:

    [Expert@HostName:0]# cd /some_path_to_CPUSE/
    [Expert@HostName:0]# tar -zxvf DeploymentAgent_<build>.tgz
  3. Install the CPUSE Agent RPM:

    [Expert@HostName:0]# rpm -Uhv --force CPda-00-00.i386.rpm

    Notes:

  4. [Optional] Restart all Clish daemons and ConfD daemon:

    To improve CPUSE Agent, new CPUSE commands are added to Clish from time to time.
    It is necessary to restart all Clish daemons for new CPUSE Clish commands to become available, and to restart ConfD daemon.

    1. If your default shell is CLISH (/etc/cli.sh), then log in to Expert mode.
      If your default shell is BASH (/bin/bash), then log out from all Clish sessions.
    2. Kill all running Clish daemons (they will be restarted automatically):

      [Expert@HostName:0]# killall -v clish clishd

      Important Note: If your default shell is CLISH (/etc/cli.sh), then after issuing this command, you will be disconnected / logged out from all active sessions.
    3. Restart the ConfD daemon:

      1. [Expert@HostName:0]# tellpm process:confd

      2. [Expert@HostName:0]# tellpm process:confd t

      Maintenance window is required:

      • When confd daemon is starting, by design, it restarts any currently running routed daemons (by sending a TERM signal). It is done to avoid possible issues in Gaia Clish (e.g., returning invalid results for routing-related commands like "show route").
      • Since routed daemon is responsible for all the routing in Gaia OS, short traffic outage will occur while routed daemon is being restarted.
      • Since routed daemon is a Critical Device in Check Point cluster (since R76), cluster fail-over might occur while routed daemon is being restarted (refer to sk92878).
  5. Start the CPUSE Agent manually:

    [Expert@HostName:0]# $DADIR/bin/dastart

 

(3-D) History of older CPUSE Agent builds

Show / Hide this section

Build
Number
Release
Date
Status Integrated in What's New
332 07 Jan 2013 Obsoleted by Build 502 R76 Initial build.
502 27 Aug 2013 Obsoleted by Build 553 R77 Stability fixes and performance optimizations.
553 15 Jan 2014 Obsoleted by Build 573 R77.10 Stability fixes and performance optimizations.
573 13 Mar 2014 Obsoleted by Build 615 - Stability fixes and performance optimizations.
615 03 Jul 2014 Obsoleted by Build 627 R77.20 Stability fixes and performance optimizations.
627 05 Aug 2014 Obsoleted by Build 710 -

Stability fixes and performance optimizations.

In addition to Gaia Portal and Clish commands, starting from build 627,
CPUSE Agent can also be controlled from Expert mode by the DAClient command (which is intended only for Check Point internal use).

710 05 Oct 2014 Obsoleted by Build 729 - Significant improvements in User Experience and performance:
  • Simple view highlights recommended versions and hotfixes to be installed
  • Indication of installed software alignment with the latest recommendations
  • All packages (available and installed) are displayed in categories
  • All packages are displayed in a hierarchy - nested (e.g., Hotfix B is included in Hotfix A)
  • Simple way to join public Early Availability program of Check Point releases
  • Pausing and resuming of package download
  • Performance optimizations
  • RFEs and Bug fixes
729 28 Jan 2015 Obsoleted by Build 747 - Stability fixes and performance optimizations.
747 19 May 2015 Obsoleted by Build 802 R77.30 Stability fixes and performance optimizations.
802 03 Jun 2015 Obsoleted by Build 822 - Significant improvements in User Experience and performance:
  • Improved Clish commands
  • Performance optimizations
  • RFEs and Bug fixes
822 17 Sep 2015 Obsoleted by Build 840 - Stability fixes and performance optimizations.
839 18 Oct 2015 Obsoleted by Build 840 - Stability fixes and performance optimizations.
840 29 Nov 2015 Obsoleted by Build 972 - Contains fixes that are relevant only to Builds lower than 839.
972 08 Feb 2016 Obsoleted by Build 974 - Stability fixes and performance optimizations:
  • RouteD daemon will not be restarted during CPUSE Agent update (to prevent traffic/routing issue)
  • ClishD daemon will not be restarted during CPUSE Agent update from Build 839
  • Improved error messages in Major upgrade flow
  • Reduced writing to Gaia Database
  • Ability to control the "Check for update period" frequency in Gaia Portal (default is every 3 hours):
    • In Gaia Portal R77.20 and above:
      go to Upgrades (CPUSE) section - Software Updates Policy page
    • In Gaia Portal R77.10 and lower:
      go to Software Updates section - Policy page
    • In Gaia Clish:
      HostName:0> set installer policy check-for-updates-period TIME
    Reducing the check for updates frequency will reduce the amount of writing to the /var/log/ partition.
974 24 Feb 2016 Obsoleted by Build 994 - Stability fixes and performance optimizations.
Resolving the following issues:
994 14 Apr 2016 Obsoleted by Build 1005 - Stability fixes and performance optimizations.
Resolving the following issues:
1005 15 June 2016 Obsoleted by Build 1127 -
  • Stability fixes and performance optimizations
  • Ability to completely disable / enable the Deployment Agent service in Gaia Clish:
    • HostName:0> installer agent disable
    • HostName:0> installer agent enable
    Note: To see these commands after installation of this CPUSE build, all Clish daemons and ConfD daemon must be restarted manually (refer to section "(3-C) How to manually install CPUSE" - Step 5).
1127 21 Aug 2016 Obsoleted by Build 1130 -
  • Ability to install higher Take of Jumbo Hotfix Accumulator
    using CPUSE over a Take that was installed using Legacy CLI
  • Ability to uninstall Legacy CLI packages using CPUSE
  • Stability fixes and performance optimizations
  • Removed the "Legacy Upgrade" option from Gaia Portal
1130 02 Oct 2016 Obsoleted by Build 1272 R80
  • Stability fixes related to the installation of Jumbo Hotfix Accumulators
1272 12 Mar 2017 Obsoleted by Build 1278 -
  • R80.10 installation support
  • Log collection improvement (mainly for Major upgrade failure)
  • In Gaia Portal, when opening the Status and Actions page, CPUSE will not automatically check for updates anymore
  • Added statistics report for import and delete of a package
  • Fixes for reinstall failures
  • Improved progress bar
  • Added creation date to snapshot description
  • Added a warning to Gaia Clish "installer install" command regarding the actions prior to First Time Configuration Wizard
  • Added the "Check For Updates" button on the "Status and Actions" page
  • Added the "Import Package" button on the "Status and Actions" page
1278 03 Apr 2017 Obsoleted by Build 1283 -
  • Stability fixes
  • Improved CPUSE Agent Self Update behavior during Major Upgrade / Clean Install
  • Warning messages (if exist) will be displayed during package installation (under the label "Additional info").
1283 25 Apr 2017 Obsoleted by Build 1293 R80.10
  • Improved CPUSE Agent Self Update behavior during R77.30 GA replacement installation
  • Improved CPUSE Agent to prevent failures due to lack of disk space and to provide better information regarding the required disk space
  • Stability fixes for CPUSE Agent on vSEC for Cloud Environment (e.g., Azure, AWS, etc.)
1293 15 June 2017 Obsoleted by Build 1294 -
  • Blocked R80.10 packages from being displayed on some outdated appliances
  • Resolved an issue with clean install of R80.10 on VSX
  • Stability fixes
1294 27 June 2017 Obsoleted by Build 1298 -
  • Blocked specific appliances from allowing import of R80.10 CPUSE Offline packages

 

(4) How to work with CPUSE

Show this section

Table of Contents for this section:

  1. How to download and import a CPUSE package
  2. How to install a CPUSE package
  3. How to uninstall a CPUSE package
  4. "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)

(4-A) How to work with CPUSE - How to download and import a CPUSE package

Show this sub-section

Important Note: After the desired CPUSE package is downloaded / imported, proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".

  • (4-A-a) Show / Hide download and import instructions for Online procedure - Gaia Portal

    The online procedure in Gaia Portal can be used in the following cases:

    • Gaia machine is connected to the Internet (meaning, full access to Check Point Cloud - refer to section "System requirements and limitations" -
      requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
    • CPUSE package is available on the Check Point Cloud.
    • Gaia machine is not running in VSX Mode (in which case, Gaia Portal is not available).

    Procedures:

    • (4-A-a-i) Show / Hide online download instructions in Gaia Portal for Public Hotfixes / Minor Version / Major Version

      1. Connect to Gaia Portal and obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

      2. Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.

        In Gaia OS R77.20 and above: In Gaia OS R77.10 and lower:
      3. All packages are displayed in categories and by default are filtered to view recommended packages only.

        Note: Use the filter button near the help icon and select the packages you wish to see:

      4. Verify the package - check whether this package can be installed without conflicts:

        • Either select the package - click on the More button on the toolbar - click on Verifier:

        • Or right-click on the package - click on Verifier:

        Result of this test should be:

        • Installation is allowed
        • Upgrade is allowed

        Examples:

        For Hotfix package: For Minor / Major Version:
      5. Download the package in relevant category:

        Note: The download progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
        to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
        and in the output of Clish command "show installer package <Package_Number>".

        Category Instructions
        Hotfixes
        • Option 1 - only download the package:

          1. Select the package.

          2. Download the package:

            • Either select the package - click on More button
              on the toolbar, and click on Download:

            • Or right-click on the package and click on Download:

          3. You can pause the download at any time:

            • Either select the package and click
              on Pause button on the toolbar:

            • Or right-click on the package and click on Pause:

            The status of the package will change to "Pausing Download"
            and then to "Partially Downloaded":

          4. You can resume the download at any time:

            • Either select the package and click
              on Resume button on the toolbar:

            • Or right-click on the package and click on Resume:

            The status of the package will change to "Resuming Download"
            and then to "Downloading":

        • Option 2 - download and install the package in one step:

          • Either select the package and click
            on Install Update button on the toolbar:

          • Or right-click on the package and click on Install Update:

        Minor Versions (HFAs)
        and
        Major Versions
        1. Select the package.

        2. Download the package:

          • Either select the package - click
            on Download button on the toolbar:

          • Or right-click on the package and click on Download:

        3. You can pause the download at any time:

          • Either select the package and click
            on Pause button on the toolbar:

          • Or right-click on the package and click on Pause:

          The status of the package will change to "Pausing Download"
          and then to "Partially Downloaded":

        4. You can resume the download at any time:

          • Either select the package and click
            on Resume button on the toolbar:

          • Or right-click on the package and click on Resume:

          The status of the package will change to "Resuming Download"
          and then to "Downloading":

      6. Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".



    • (4-A-a-ii) Show / Hide online import instructions in Gaia Portal for Private Hotfixes / Jumbo Hotfix Accumulators

      1. Connect to Gaia Portal and obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

      2. Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.

        In Gaia OS R77.20 and above: In Gaia OS R77.10 and lower:
      3. Click on the Add hotfixes from the cloud button:

      4. A pop-up appears:

      5. Contact Check Point Support to get the relevant CPUSE Identifier.

        If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste
        the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page.

        Notes:

        • Currently, only the following keys are supported in this field: Left/Right arrow, Delete, Backspace.
        • Downloading the hotfix by its URL is not supported.
        • Packages that are not suitable for this machine, will not be available (e.g., if some Take of a Jumbo Hotfix Accumulator is installed, then Takes lower than the current Take will not be available).

        Examples:

        Example #1 Example #2
        1. Copy the hotfix name from Download Page on Check Point site:

        2. Paste the hotfix name in the pop-up search window:
        • CPUSE Identifier of a Jumbo Hotfix Accumulator is:
          Check_Point_R77_20_JUMBO_HF_1_Bundle_T23.tgz:
      6. Click on the magnifying glass icon to start the search.

        Example:

      7. When the package is found, it will be displayed as a link along with its title and release date.

        Example:

      8. Click on the package to add it to the list of available packages.

        Example:

      9. The package will be added with status Available for Download, and the filter will automatically change to show all packages.

      10. Verify the package - check whether this package can be installed without conflicts:

        • Either select the package - click on the More button on the toolbar - click on Verifier:

        • Or right-click on the package - click on Verifier:

        Result of this test should be:

        • Installation is allowed
        • Upgrade is allowed

        Examples:

        For Hotfix package: For Minor / Major Version:
      11. Download the package:

        Note: The download progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
        to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
        and in the output of Clish command "show installer package <Package_Number>".

        Option 1 - only download the package:

        Option 2 - download and install the package in one step:

        1. Select the package.

        2. Download the package:

          • Either select the package - click on More button
            on the toolbar, and click on Download:

          • Or right-click on the package and click on Download:

        3. You can pause the download at any time:

          • Either select the package and click
            on Pause button on the toolbar:

          • Or right-click on the package and click on Pause:

          The status of the package will change to "Pausing Download"
          and then to "Partially Downloaded":

        4. You can resume the download at any time:

          • Either select the package and click
            on Resume button on the toolbar:

          • Or right-click on the package and click on Resume:

          The status of the package will change to "Resuming Download"
          and then to "Downloading":

        • Either select the package and
          click on Install Update button on the toolbar:

        • Or right-click on the package and
          click on Install Update:

      12. If you only downloaded the package (without installing it), then proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".



  • (4-A-b) Show / Hide download and import instructions for Online procedure - Gaia Clish

    The online procedure in Gaia Clish can be used in the following cases:

    • Gaia machine is connected to the Internet (meaning, full access to Check Point Cloud - refer to section "System requirements and limitations" -
      requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
    • CPUSE package is available on the Check Point Cloud.
    • If this Gaia machine is running in VSX Mode, then refer to section "(2) System requirements and limitations" - subsection "H. VSX Gateways".

    Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    Procedures:

    • (4-A-b-i) Show / Hide online download instructions in Gaia Clish for Public Hotfixes / Minor Version / Major Version

      1. Connect to command line on Gaia machine.

      2. Log in to Clish.

      3. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override
      4. Check the available packages (run the relevant command):

        HostName:0> show installer packages recommended

        HostName:0> show installer packages available-for-download

        HostName:0> show installer package[press Space key][press Tab key]
        HostName:0> show installer package <Package_Number>
      5. Download the desired package from the Check Point Cloud:

        Note: The download progress (in per cent) is displayed in the output of Clish command "show installer package <Package_Number>", and
        in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.

        HostName:0> installer download <Package_Number>
      6. You can pause the download at any time:

        HostName:0> installer download <Package_Number> pause
      7. You can resume the download at any time:

        HostName:0> installer download <Package_Number> resume
      8. Show the downloaded packages:

        HostName:0> show installer packages downloaded
      9. Verify the package - check whether this package can be installed without conflicts:

        HostName:0> installer verify <Package_Number>

        Result of this test should be:

        • For Hotfix package:

          Result: Installation is allowed
          Status: Available for Install
          
        • For Minor / Major Version:

          Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
          Status: Available for Install
          
      10. Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".



    • (4-A-b-ii) Show / Hide online import instructions in Gaia Clish for Private Hotfixes / Jumbo Hotfix Accumulators

      Note: Requires CPUSE build 802 and above.

      1. Connect to command line on Gaia machine.

      2. Log in to Clish.

      3. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override
      4. Import the desired package from the Check Point Cloud:

        HostName:0> installer import cloud <CPUSE_Identifier>

        Contact Check Point Support to get the relevant CPUSE Identifier.

        Note: Packages that are not suitable for this machine, will not be available.

        If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste
        the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:

        Examples:

        Example #1 Example #2
        1. Copy the hotfix name from Download Page on Check Point site:

        2. Use the hotfix name in the syntax
        • CPUSE Identifier of a Jumbo Hotfix Accumulator is:
          Check_Point_R77_20_JUMBO_HF_1_Bundle_T23.tgz
      5. Show the imported packages:

        HostName:0> show installer packages imported
      6. Verify the package - check whether this package can be installed without conflicts:

        HostName:0> installer verify[press Space key][press Tab key]
        HostName:0> installer verify <Package_Number>

        Result of this test should be:

        Result: Installation is allowed
        Status: Available for Install
        
      7. Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".



  • (4-A-c) Show / Hide import instructions for Offline procedure - Gaia Portal

    The offline import procedure in Gaia Portal can be used in the following cases:

    • Gaia machine is disconnected from the Internet (meaning, no access to Check Point Cloud).
    • CPUSE package is not available on the Check Point Cloud.
    • Although Gaia machine is connected to the Internet, administrator wishes to manually import a CPUSE package instead of downloading it from Check Point Cloud.
    • Gaia machine is not running in VSX Mode (in which case, Gaia Portal is not available).

    Notes:

    • Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already
      downloaded / installed (for package export instructions, refer to section "(4) How to work with CPUSE" - "(D) Additional information about Gaia Clish commands
      and Gaia Portal actions for CPUSE" - "Show / Hide how to export a CPUSE package in Gaia Portal"
      .
    • Requirements for free disk space exist.
    • For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    Import procedure for Offline CPUSE package / Exported CPUSE package:

    1. Make sure you have the relevant CPUSE offline package (TGZ file) / exported package (TAR file).

    2. Connect to Gaia Portal on the target Gaia OS.

    3. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

    4. Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.

      In Gaia R77.20 and above: In Gaia R77.10 and lower:
    5. In the upper right corner, click on the Import Package button:

    6. In the Import Package window, click on Browse... - select the CPUSE offline package (TGZ file) / exported package (TAR file) - click on Import.

      Note: If the following error is displayed, then wrong package was uploaded (contact Check Point Support for assistance):

      Import Failed
      Cannot import package <Name_of_File>. It is not a valid CPUSE package.
      Refer to the package's official documentation to get a list of compatible machines. For more information, contact Check Point Technical Services.

      Example:

      • Popup at the bottom:
      • Event Log entry:
    7. Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):

    8. Verify the imported package - check whether this package can be installed without conflicts:

      • Either select the imported package - click on the More button on the toolbar - click on Verifier:

      • Or right-click on the imported package - click on Verifier:

      Result of this test should be:

      • Installation is allowed
      • Upgrade is allowed

      Examples:

      For Hotfix package: For Minor / Major Version:
    9. Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".



  • (4-A-d) Show / Hide import instructions for Offline procedure - Gaia Clish

    The offline import procedure in Gaia Clish can be used in the following cases:

    • Gaia machine is disconnected from the Internet (meaning, no access to Check Point Cloud).
    • CPUSE package is not available on the Check Point Cloud.
    • Although Gaia machine is connected to the Internet, administrator wishes to manually import a CPUSE package instead of downloading it from Check Point Cloud.
    • If this Gaia machine is running in VSX Mode, then refer to section "(2) System requirements and limitations" - subsection "H. VSX Gateways".

    Notes:

    • Requires CPUSE build 802 and above.
    • Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already
      downloaded / installed (for package export instructions, refer to section "(4) How to work with CPUSE" - "(D) Additional information about Gaia Clish commands
      and Gaia Portal actions for CPUSE" - "Show / Hide how to export a CPUSE package in Gaia Portal"
      .
    • Requirements for free disk space exist.
    • For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    Import procedure for Offline CPUSE package / Exported CPUSE package:

    1. Make sure you have the relevant CPUSE offline package (TGZ file) / exported package (TAR file).

    2. Transfer the CPUSE offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_package/).

    3. Connect to command line on the target Gaia OS.

    4. Log in to Clish.

    5. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    6. Import the package from the hard disk:

      Note: When import completes, this package is deleted from the original location.

      HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR>

      Example:
      HostName:0> installer import local /var/log/path_to_pkg/Check_Point_Hotfix_R77.tgz
    7. Show the imported packages:

      HostName:0> show installer packages imported
    8. Verify the package - check whether this package can be installed without conflicts:

      HostName:0> installer verify[press Space key][press Tab key]
      HostName:0> installer verify <Package_Number>

      Result of this test should be:

      • For Hotfix package:

        Result: Installation is allowed
        Status: Available for Install
        
      • For Minor / Major Version:

        Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
        Status: Available for Install
        
    9. Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".

 

(4-B) How to work with CPUSE - How to install a CPUSE package

Show this sub-section
  • (4-B-a) Show / Hide instructions for installing a Hotfix package / Minor Version package

    Note: Requirements for free disk space and limitations in VSX mode exist.

    • (4-B-a-i) Show / Hide installation instructions in Gaia Portal for Hotfixes

      1. All packages are displayed in categories and by default are filtered to view recommended packages only.

        Note: Use the filter button near the help icon and select the packages you wish to see:

      2. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        • Either select the package - click on the More button on the toolbar - click on Verifier:

        • Or right-click on the package - click on Verifier:

        Result of this test should be:

        • Installation is allowed

        Examples:

      3. Install the package:

        Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
        to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
        and in the output of Clish command "show installer package <Package_Number>".

        • Either select the package and click on Install Update button on the toolbar:

        • Or right-click on the package and click on Install Update:

      4. Machine is rebooted automatically (only if required so by the installed hotfix).



    • (4-B-a-ii) Show / Hide installation instructions in Gaia Portal for Minor Version

      1. All packages are displayed in categories and by default are filtered to view recommended packages only.

        Note: Use the filter button near the help icon and select the packages you wish to see:

      2. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        • Either select the package - click on the More button on the toolbar - click on Verifier:

        • Or right-click on the package - click on Verifier:

        Result of this test should be:

        • Installation is allowed

        Examples:

      3. Install the package:

        Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
        to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
        and in the output of Clish command "show installer package <Package_Number>".

        • Either select the package and click on Install Update button on the toolbar:

        • Or right-click on the package and click on Install Update:

      4. Machine is rebooted automatically.



    • (4-B-a-iii) Show / Hide installation instructions in Gaia Clish for Hotfixes

      Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

      1. Connect to command line on Gaia OS.

      2. Log in to Clish.

      3. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override
      4. Display the downloaded / available for install packages:

        HostName:0> show installer packages

        Example from R77.10:

        HostName:0> show installer packages
        **  ************************************************************************* **
        **                                 Hotfixes                                   **
        **  ************************************************************************* **
        Display name                                      Status
        Check_Point_Hotfix_R77_10_sk102673.tgz            Available for Install
        **  ************************************************************************* **
        **                                   HFAs                                     **
        **  ************************************************************************* **
        Display name                                      Status
        Check_Point_R77.10.tgz                            Installed
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Display name                                      Status
        Check_Point_R77.tgz                               Installed
        HostName:0>
        
      5. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        HostName:0> installer verify[press Space key][press Tab key]
        HostName:0> installer verify <Package_Number>

        Result of this test should be:

        Result: Installation is allowed
        Status: Available for Install
        
      6. Install the desired package:

        Note: The installation progress (in per cent) is displayed in the output of Clish command "show installer package <Package_Number>", and
        in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.

        HostName:0> installer install[press Space key][press Tab key]
        HostName:0> installer install <Package_Number>

        Example from R77.10:

        HostName:0> installer install[press Space key][press Tab key]
        **  ************************************************************************* **
        **                                 Hotfixes                                   **
        **  ************************************************************************* **
        Num Display name                                      Type
        1   Check_Point_Hotfix_R77_10_sk102673.tgz            Hotfix
        HostName:0> installer install 1
        Initiating install of Check_Point_Hotfix_R77_10_sk102673.tgz...
        Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
        Result: Package Check_Point_Hotfix_R77_10_sk102673.tgz was installed successfully.
        Status: Installing (100%)
        
      7. Machine is rebooted automatically (only if required so by the installed hotfix).

        Note: If machine was not rebooted by the installed package, it might be necessary to connect to command line and to manually run the cpstart / mdsstart command.


    • (4-B-a-iv) Show / Hide installation instructions in Gaia Clish for Minor Version

      Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

      1. Connect to command line on Gaia machine.

      2. Log in to Clish.

      3. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override
      4. Display the downloaded / available for install packages:

        HostName:0> show installer packages

        Example from R77 being upgraded to R77.10:

        HostName:0> show installer packages
        **  ************************************************************************* **
        **                                   HFAs                                     **
        **  ************************************************************************* **
        Display name                                      Type
        Check_Point_R77.10.tgz                            HFA
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Display name                                      Type
        Check_Point_R77.tgz                               Major Version
        HostName:0>
        
      5. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        HostName:0> installer verify[press Space key][press Tab key]
        HostName:0> installer verify <Package_Number>

        Result of this test should be:

        Result: Installation is allowed
        Status: Available for Install
        
      6. Start the upgrade to Minor Version:

        HostName:0> installer install[press Space key][press Tab key]
        HostName:0> installer install <Package_Number>

        Note: Once you see "Extracting Bundle", press CTRL+C.

        Example from R77 being upgraded to R77.10:

        HostName:0> installer install[press Space key][press Tab key]
        **  ************************************************************************* **
        **                                   HFAs                                     **
        **  ************************************************************************* **
        Num Display name                                      Type
        1   Check_Point_R77.10.tgz                            HFA
        HostName:0> installer install 1
        Initiating install of Check_Point_R77.10.tgz...
        Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
        Extracting Bundle:             1%
        
      7. Get the Package Number of the package being installed:

        HostName:0> show installer package[press Space key][press Tab key]

        Example from R77 being upgraded to R77.10:

        HostName:0> show installer package[press Space key][press Tab key]
        **  ************************************************************************* **
        **                                   HFAs                                     **
        **  ************************************************************************* **
        Num Display name                                      Type
        1   Check_Point_R77.10.tgz                            HFA
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Num Display name                                      Type
        2   Check_Point_R77.tgz                               Major Version
        HostName:0>
        
      8. Monitor the installation progress:

        Repeatedly run this command and refer to the "Status" line:

        HostName:0> show installer package <Package_Number>

        Example from R77 being upgraded to R77.10:

        HostName:0> show installer package 1
        Display name:     Check_Point_R77.10.tgz
        Description:       Package R77.10 HFA contains: &
                          8226; Security Gateway / Security Management R77.10 -       Compressing Backup File:  30%         &
                          8226; UTM-1 Edge compatibility Package R77.10   &
                          8226; R71 Compatibility Package R77.10   &
                          8226; R75.20 Compatibility Package R77.10   &
                          8226; R75 Compatibility Package R77.10   &
                          8226; NGX Compatibility Package R77.10   &
                          8226; SFW Compatibility Package R77.10   &
                          8226; V40 Compatibility Package R77.10   &
                          8226; R75.40 Compatibility Package R77.10   &
                          8226; R75.40VS Compatibility Package R77.10   &
                          8226; R76 Compatibility Package R77.10   &
                          8226; Management Portal R77.10   &
                          8226; Mobile Access R77.10   &
                          8226; SmartLog R77.10   &
                          8226; GAIA R77.10   &
                          8226; Performance Pack R77.10   &
                          8226; UserAuthority Server R77.10   &
                          8226; SmartEvent and SmartReporter Suite R77.10   &
                          8226; MDS R77.10   Note: After the package is installed, the gateway reboots.
        Size:             283.31 MB
        Type:             HFA
        Status:           Installing (10%)
        Requires reboot:  No
        Recommended:      No
        Contains:         None
        Contained-in:     None
        Downloaded on:    N/A
        Imported on:      Mon Mar 14 18:11:37 2016
        Installed on:     N/A
        Installation log: /opt/CPInstLog//install_CPUpdates_BUNDLE_R77_10.log
        HostName:0>
        
        ... ... ...
        HostName:0> show installer package 1
        Display name:     Check_Point_R77.10.tgz
        Description:       Package R77.10 HFA contains:  &
                          8226;  Security Gateway / Security Management R77.10 - Installed   &
                          8226;  UTM-1 Edge compatibility Package R77.10 - Installed   &
                          8226;  R71 Compatibility Package R77.10 - Installed   &
                          8226;  R75.20 Compatibility Package R77.10 - Installed   &
                          8226;  R75 Compatibility Package R77.10 - Installed   &
                          8226;  NGX Compatibility Package R77.10 - Installed  &
                          8226; SFW Compatibility Package R77.10 -       Replacing Files:  60%         &
                          8226; V40 Compatibility Package R77.10   &
                          8226; R75.40 Compatibility Package R77.10   &
                          8226; R75.40VS Compatibility Package R77.10   &
                          8226; R76 Compatibility Package R77.10   &
                          8226; Management Portal R77.10   &
                          8226; Mobile Access R77.10   &
                          8226; SmartLog R77.10   &
                          8226; GAIA R77.10   &
                          8226; Performance Pack R77.10   &
                          8226; UserAuthority Server R77.10   &
                          8226; SmartEvent and SmartReporter Suite R77.10   &
                          8226; MDS R77.10   Note: After the package is installed, the gateway reboots.
        Size:             283.31 MB
        Type:             HFA
        Status:           Installing (20%)
        Requires reboot:  No
        Recommended:      No
        Contains:         None
        Contained-in:     None
        Downloaded on:    N/A
        Imported on:      Mon Mar 14 18:11:37 2016
        Installed on:     N/A
        Installation log: /opt/CPInstLog//install_CPUpdates_BUNDLE_R77_10.log
        HostName:0>
        ... ... ...
        
      9. Machine is rebooted automatically.

      10. After reboot, the machine is fully upgraded to the Minor Version.



  • (4-B-b) Show / Hide instructions for performing an upgrade to a Major Version

    Important Note: Existing OS settings and the Check Point Database are preserved during this procedure.

    Notes:

    • Requirements for free disk space and limitations in VSX mode exist.

    • Upgrade to a Major version is performed on a new hard disk partition, and the "old" partition is converted into Gaia Snapshot (the new partition space is taken from the un-partitioned space on the hard disk.

    • During an upgrade to a Major version, the CPUSE Agent copies the following files from the current version to the target version:

      • The current $CPDIR/database/*authkeys.C files are copied to the target $CPDIR/database/ directory
      • The current $FWDIR/lib/user.def file is copied to the target $FWDIR/lib/ directory
      • The current $FWDIR/lib/user_early.def file is copied to the target $FWDIR/lib/ directory
      • The current $FWDIR/lib//defaultfilter.boot file is copied to the target $FWDIR/conf/defaultfilter.pf file
      • The current /etc/fw.boot/ha_boot.conf file is copied to the target /etc/fw.boot/ directory
      • The current /etc/fw.boot/modules/fwkern.conf file is copied to the target /etc/fw.boot/modules/ directory
      • The current /etc/ppk.boot/boot/modules/sim_aff.conf file is copied to the target /etc/ppk.boot/boot/modules/ directory

    Instructions:

    • (4-B-b-i) Show / Hide upgrade instructions in Gaia Portal for Major Version

      1. All packages are displayed in categories and by default are filtered to view recommended packages only.

        Note: Use the filter button near the help icon and select the packages you wish to see:

      2. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        • Either select the package - click on the More button on the toolbar - click on Verifier:

        • Or right-click on the package - click on Verifier:

        Result of this test should be:

        • Installation is allowed
        • Upgrade is allowed

        Examples:

      3. Install the package:

        Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
        to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
        and in the output of Clish command "show installer package <Package_Number>".

        • Either select the package and click on Upgrade button on the toolbar:

          Example:
        • Or right-click on the package and click on Upgrade:

      4. CPUSE shows the following warning over Gaia Portal:

        After this upgrade, there will be an automatic reboot.
        (Existing OS settings and the Check Point Database are preserved.)

      5. Machine is rebooted automatically.

      6. If you connect to command line and log in, the following notification from CPUSE will be displayed above the prompt:

        Upgrade is still running. Log in to the Status and Actions page to see the progress.
      7. Connect to Gaia Portal and obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

      8. CPUSE shows the following pop-up over Gaia Portal:

        "Upgrade is still running. Log in to the Status and Actions page to see the progress."

        Example:
      9. Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.

        In Gaia OS R77.20 and above: In Gaia OS R77.10 and lower:
      10. Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):

      11. You will see the relevant progress (no need to refresh the page).

        Example from R75.46 Security Management Server being upgraded to R77:

        1. Upgrading Products

          Example:
        2. Importing Database

          Example:
        3. Configuring Products

        4. Creating SIC Data

        5. Stopping Processes

          Example:
        6. Starting Processes

        7. Installed, self-test passed

          Example:
      12. Manually install the policy:

        • If you upgraded a Security Management Server / Multi-Domain Security Management Server, then install the policy onto all managed Security Gateways / Clusters.
        • If you upgrade a Security Gateway / Cluster Members, then install the policy on this Security Gateway / Cluster.


    • (4-B-b-ii) Show / Hide upgrade instructions in Gaia Clish for Major Version

      Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

      1. Connect to command line on Gaia machine.

      2. Log in to Clish.

      3. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override
      4. Display the downloaded / available for install packages:

        HostName:0> show installer packages

        Example from R75.46 being upgraded to R77 (clean install):

        HostName:0> show installer packages
        **  ************************************************************************* **
        **                                 Hotfixes                                   **
        **  ************************************************************************* **
        Display name                                      Status
        HOTFIX_R75.46                                     Installed (Legacy)
        R75.46                                            Installed (Legacy)
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Display name                                      Status
        Check_Point_R77.tgz                               Available for Install
        HostName:0>
        
        HostName:0> show installer packages downloaded
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Display name                                      Type
        Check_Point_R77.tgz                               Major Version
        HostName:0>
        
      5. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        HostName:0> installer verify[press Space key][press Tab key]
        HostName:0> installer verify <Package_Number>

        Result of this test should be:

        Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
        Status: Available for Install
        
      6. Start the upgrade to Major Version:

        HostName:0> installer upgrade[press Space key][press Tab key]
        HostName:0> installer upgrade <Package_Number>

        Note: Once you see "Validating Install", press CTRL+C.

        Example from R75.46 being upgraded to R77 (clean install):

        HostName:0> installer upgrade[press Space key][press Tab key]
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Num Display name                                      Type
        1   Check_Point_R77.tgz                               Major Version
        HostName:0> installer upgrade 1
        The machine will automatically reboot after installation (y/n) [n]  y
        
        Initiating upgrade of Check_Point_R77.tgz...
        Note:      After this upgrade, there will be an automatic reboot.
        Existing OS settings and the Check Point Database are preserved.
        Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
        Validating Install:            5%
        
      7. Get the Package Number of the package being installed:

        HostName:0> show installer package[press Space key][press Tab key]

        Example from R75.46 being upgraded to R77:

        HostName:0> show installer package[press Space key][press Tab key]
        **  ************************************************************************* **
        **                                 Hotfixes                                   **
        **  ************************************************************************* **
        Num Display name                                      Type
        1   R75.46                                            Legacy Mini-Wrapper
        2   HOTFIX_R75.46                                     Legacy Mini-Wrapper
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Num Display name                                      Type
        3   Check_Point_R77.tgz                               Major Version
        HostName:0>
        
      8. Monitor the installation progress:

        Repeatedly run this command and refer to the "Status" line:

        HostName:0> show installer package <Package_Number>

        Example from R75.46 being upgraded to R77 (clean install):

        HostName:0> show installer package 3
        Display name:     Check_Point_R77.tgz
        Description:      No Description
        Size:             1.18 GB
        Type:             Major Version
        Status:           Installing (13%)
        Requires reboot:  Yes
        Recommended:      No
        Contains:         None
        Contained-in:     None
        Downloaded on:    Thu Mar  3 19:56:01 2016
        Imported on:      N/A
        Installed on:     N/A
        Installation log: /opt/CPInstLog//install_Major_R77.log
        HostName:0>
        
        ... ... ...
        HostName:0> show installer package 3
        ... ... ...
        
        HostName:0> show installer package 3
        Display name:     Check_Point_R77.tgz
        Description:      No Description
        Size:             1.18 GB
        Type:             Major Version
        Status:           Installing (100%)
        Requires reboot:  Yes
        Recommended:      No
        Contains:         None
        Contained-in:     None
        Downloaded on:    Thu Mar  3 19:56:01 2016
        Imported on:      N/A
        Installed on:     Thu Mar  3 20:31:53 2016
        Installation log: /opt/CPInstLog//install_Major_R77.log
        HostName:0>
        
      9. Machine is rebooted automatically.

      10. If you connect to command line and log in, the following notification from CPUSE will be displayed above the prompt:

        Upgrade is still running. Log in to the Status and Actions page to see the progress.
      11. Connect to Gaia Portal and obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

      12. CPUSE shows the following pop-up over Gaia Portal:

        "Upgrade is still running. Log in to the Status and Actions page to see the progress."

        Example:
      13. Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.

        In Gaia OS R77.20 and above: In Gaia OS R77.10 and lower:
      14. Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):

      15. You will see the relevant progress (no need to refresh the page).

        Example from R75.46 Security Management Server being upgraded to R77:

        1. Upgrading Products

          Example:
        2. Importing Database

          Example:
        3. Configuring Products

        4. Creating SIC Data

        5. Stopping Processes

          Example:
        6. Starting Processes

        7. Installed, self-test passed

          Example:
      16. Manually install the policy:

        • If you upgraded a Security Management Server / Multi-Domain Security Management Server, then install the policy onto all managed Security Gateways / Clusters.
        • If you upgrade a Security Gateway / Cluster Members, then install the policy on this Security Gateway / Cluster.


  • (4-B-c) Show / Hide instructions for performing a clean install of a Major Version

    Note: Requirements for free disk space and limitations in VSX mode exist.

    Important Note: Existing OS settings and the Check Point Database will be overwritten during this procedure.

    • (4-B-c-i) Show / Hide clean install instructions in Gaia Portal for Major Version

      1. All packages are displayed in categories and by default are filtered to view recommended packages only.

        Note: Use the filter button near the help icon and select the packages you wish to see:

      2. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        • Either select the package - click on the More button on the toolbar - click on Verifier:

        • Or right-click on the package - click on Verifier:

        Result of this test should be:

        • Installation is allowed
        • Upgrade is allowed

        Examples:

      3. Install the package:

        Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
        to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
        and in the output of Clish command "show installer package <Package_Number>".

        • Either select the package and click on Clean Install button on the toolbar.

          Example:
        • Or right-click on the package and click on Clean Install:

      4. Machine is rebooted automatically.

      5. Connect to Gaia Portal and complete the First Time Configuration Wizard.



    • (4-B-c-ii) Show / Hide clean install instructions in Gaia Clish for Major Version

      Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

      1. Connect to command line on Gaia machine.

      2. Log in to Clish.

      3. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override
      4. Display the downloaded / available for install packages:

        HostName:0> show installer packages

        Example from R75.46 being upgraded to R77 (clean install):

        HostName:0> show installer packages
        **  ************************************************************************* **
        **                                 Hotfixes                                   **
        **  ************************************************************************* **
        Display name                                      Status
        HOTFIX_R75.46                                     Installed (Legacy)
        R75.46                                            Installed (Legacy)
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Display name                                      Status
        Check_Point_R77.tgz                               Available for Install
        HostName:0>
        
        HostName:0> show installer packages downloaded
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Display name                                      Type
        Check_Point_R77.tgz                               Major Version
        HostName:0>
        
      5. Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:

        HostName:0> installer verify[press Space key][press Tab key]
        HostName:0> installer verify <Package_Number>

        Result of this test should be:

        Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
        Status: Available for Install
        
      6. Start the clean install of Major Version:

        HostName:0> installer install[press Space key][press Tab key]
        HostName:0> installer install <Package_Number>

        Note: Once you see "Validating Install", press CTRL+C.

        Example from R75.46 being upgraded to R77 (clean install):

        HostName:0> installer install[press Space key][press Tab key]
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Num Display name                                      Type
        1   Check_Point_R77.tgz                               Major Version
        HostName:0> installer install 1
        The machine will automatically reboot after installation (y/n) [n]  y
        
        Initiating install of Check_Point_R77.tgz...
        Note:      This installs a new machine.
        Existing OS settings and the Check Point Database will be overwritten.
        There will be an automatic reboot.
        Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
        Validating Install:            5%
        
      7. Get the Package Number of the package being installed:

        HostName:0> show installer package[press Space key][press Tab key]
      8. Monitor the installation progress:

        Repeatedly run this command and refer to the "Status" line:

        HostName:0> show installer package <Package_Number>

        Example from R75.46 being upgraded to R77 (clean install):

        HostName:0> show installer package 3
        Display name:     Check_Point_R77.tgz
        Description:      No Description
        Size:             1.18 GB
        Type:             Major Version
        Status:           Installing (13%)
        Requires reboot:  Yes
        Recommended:      No
        Contains:         None
        Contained-in:     None
        Downloaded on:    Thu Mar  3 19:56:01 2016
        Imported on:      N/A
        Installed on:     N/A
        Installation log: /opt/CPInstLog//install_Major_R77.log
        HostName:0>
        
        ... ... ...
        HostName:0> show installer package 3
        ... ... ...
        
        HostName:0> show installer package 3
        Display name:     Check_Point_R77.tgz
        Description:      No Description
        Size:             1.18 GB
        Type:             Major Version
        Status:           Installing (100%)
        Requires reboot:  Yes
        Recommended:      No
        Contains:         None
        Contained-in:     None
        Downloaded on:    Thu Mar  3 19:56:01 2016
        Imported on:      N/A
        Installed on:     Thu Mar  3 20:06:30 2016
        Installation log: /opt/CPInstLog//install_Major_R77.log
        HostName:0>
        
      9. Machine is rebooted automatically.

      10. Connect to command line on Gaia machine.

      11. Log in.

      12. Gaia OS prompts to run the First Time Configuration Wizard.

        Example from R75.46 being upgraded to R77 (clean install):

        login as: admin
        This system is for authorized use only.
        admin@172.30.41.100's password:
        Last login: Thu Mar  3 13:08:47 2016
        In order to configure your system, please access the Web UI and finish the First Time Wizard.
        gw-aa7bc3>
        
        gw-aa7bc3> show installer package[press Space key][press Tab key]
        **  ************************************************************************* **
        **                                  Majors                                    **
        **  ************************************************************************* **
        Num Display name                                      Type
        1   Check_Point_R77.tgz                               Major Version
        gw-aa7bc3> show installer package 1
        Display name:     Check_Point_R77.tgz
        Description:      No Description
        Size:             1.18 GB
        Type:             Major Version
        Status:           Installed
        Requires reboot:  Yes
        Recommended:      No
        Contains:         None
        Contained-in:     None
        Downloaded on:    N/A
        Imported on:      N/A
        Installed on:     N/A
        Installation log: N/A
        gw-aa7bc3>
        
      13. Connect to Gaia Portal and complete the First Time Configuration Wizard.

 

(4-C) How to work with CPUSE - How to uninstall a CPUSE package

Show / Hide this sub-section

Notes:

  • CPUSE supports uninstall only of a Hotfix package, or of a Minor Version:

    Refer to sk107320 - How to know if a hotfix on Gaia OS was installed via CPUSE of via Legacy CLI.

    • When running CPUSE Agent build 1127 and above:
      • If a Hotfix / Minor Version package was installed using Legacy CLI, then it can be uninstalled using the CPUSE.
      • If a Hotfix / Minor Version package was installed using CPUSE, then it must be uninstalled using CPUSE.
    • When running CPUSE Agent build 1005 and lower:
      • If a Hotfix / Minor Version package was installed using CPUSE, then it must be uninstalled using CPUSE.
      • If a Hotfix / Minor Version package was installed using Legacy CLI, then it must be uninstalled using Legacy CLI.
  • To uninstall a Major Version, machine should be reverted to the previous snapshot.


Where to uninstall How to uninstall
Gaia Portal

Note: The uninstall progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
and in the output of Clish command "show installer package <Package_Number>".

  • Either select the package - click on More button on the toolbar, and click on Uninstall:
    (Note: Machine is rebooted automatically)

    Example:
  • Or right-click on the package and click on Uninstall:
    (Note: Machine is rebooted automatically)

Gaia Clish

Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

  1. Connect to command line on Gaia machine.

  2. Log in to Clish.

  3. Acquire the lock over Gaia configuration database:

    HostName:0> lock database override
  4. Show the installed packages:

    HostName:0> show installer packages installed
  5. Uninstall the desired package:

    Note: The uninstall progress (in per cent) is displayed in the output of Clish command "show installer package <Package_Number>", and
    in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.

    HostName:0> installer uninstall[press Space key][press Tab key]
    HostName:0> installer uninstall <Package_Number>
  6. Machine is rebooted automatically (if required so by the uninstalled package).

 

(4-D) "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)

Show this sub-section
  • Show / Hide available Clish commands for CPUSE

    The following command are available in Gaia Clish to work with CPUSE:

    1. Connect to command line on Gaia machine.

    2. Log in to Clish.

    3. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    4. Run the relevant Clish commands:

      Table of Contents for relevant actions:

      1. Show the CPUSE Packages, Status and Agent Policy
      2. Set the CPUSE Agent Policy and Mail Notifications
      3. Download, Install, Import a CPUSE package
      # Action Commands
      1 Show the CPUSE Packages, Status and Agent Policy:

      Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - section "Reviewing CPUSE - clish".

      HostName:0> show installer
      mail-notifications - Show mail notifications for user
      package            - Show information about a specific package
      packages           - Show packages information
      policy             - Show policies configurations
      status             - Show status
      HostName:0>
      

      where the full syntax is:

      • HostName:0> show installer mail-notifications {<e-mail> | <user_number>}
        Shows for which categories mail notifications were configured for specific user

        Specific commands:

        HostName:0> show installer mail-notifications <e-mail>

        HostName:0> show installer mail-notifications[press Space key][press Tab key]
        HostName:0> show installer mail-notifications <user_number>
      • HostName:0> show installer package <Package_Number>
        Shows complete information about a specific package (name, size, status, what packages it contains, etc.)

      • HostName:0> show installer packages {all}
        Shows brief information (name and status) about all packages in all categories

        HostName:0> show installer packages available-for-download
        Shows only packages with status "Available for Download" and "Partially Downloaded"
        HostName:0> show installer packages downloaded
        Shows only packages with status "Downloaded"
        HostName:0> show installer packages imported
        Shows only packages that were imported
        HostName:0> show installer packages installed
        Shows only packages that were installed
        HostName:0> show installer packages recommended
        Shows only recommended packages

      • HostName:0> show installer policy {all}
        Shows CPUSE policy (how often to check for updates, which self tests to perform, etc.)

        HostName:0> show installer policy check-for-updates-period
        Shows how often CPUSE Agent checks for packages updates
        HostName:0> show installer policy downloads
        Shows download policy for "Hotfixes" (automatic / manual / scheduled)
        HostName:0> show installer policy periodically-self-update
        Shows if CPUSE Agent will periodically check for newer CPUSE builds
        HostName:0> show installer policy self-test {all | auto-rollback | install-policy | network-link-up | start-processes}
        Shows which sanity tests CPUSE Agent performs after installing a CPUSE package
        HostName:0> show installer policy send-cpuse-data
        Shows if CPUSE Agent sends statistics to Check Point about about download and installation of packages

      • HostName:0> show installer status {all}
        Shows CPUSE Agent status (enabled or not, build, license, connected or not, etc.)

        HostName:0> show installer status agent
        Shows if CPUSE Agent is enabled or not
        HostName:0> show installer status build
        Shows CPUSE Agent build
        HostName:0> show installer status connection
        Shows if CPUSE Agent is connected or not
        HostName:0> show installer status license
        Shows if license for CPUSE Agent is valid or not
        HostName:0> show installer status update-from-cloud
        Shows when CPUSE Agent perform last check for new relevant CPUSE packages

      2 Set the CPUSE Agent
      Policy and Mail Notifications

      Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - section "Configuring a CPUSE Policy - clish",
      and section "Configuring CPUSE Mail Notifications - clish".

      HostName:0> set installer
      mail-notifications - Set mail notifications policy
      policy             - Set policies
      HostName:0>
      

      where the full syntax is:

      • HostName:0> set installer mail-notifications {<e-mail> | <user_number>} {download-status | install-status | new-available-packages} {on | off}
        Defines for which categories CPUSE Agent sends mail notifications to specific user

        Specific commands:

        HostName:0> set installer mail-notifications <e-mail> download-status {on | off}
        or
        HostName:0> set installer mail-notifications[press Space key][press Tab key]
        HostName:0> set installer mail-notifications <user_number> download-status {on | off}
        Configures CPUSE Agent whether to send mail notifications to specific user when packages are available for download

        HostName:0> set installer mail-notifications <e-mail> install-status {on | off}
        or
        HostName:0> set installer mail-notifications[press Space key][press Tab key]
        HostName:0> set installer mail-notifications <user_number> install-status {on | off}
        Configures CPUSE Agent whether to send mail notifications to specific user when a package was installed

        HostName:0> set installer mail-notifications <e-mail> new-available-packages {on | off}
        or
        HostName:0> set installer mail-notifications[press Space key][press Tab key]
        HostName:0> set installer mail-notifications <user_number> new-available-packages {on | off}
        Configures CPUSE Agent whether to send mail notifications to specific user when new packages are available

        Notes:

        • This setting configures Gaia OS to sent e-mail notifications about Software Updates for following categories:
          1. Download Status
          2. Install Status
          3. New Available Packages
        • If mail server is not configured yet, then configure the mail server and the root user for that mail server:
          HostName:0> set mail-notification server <SERVER_HOST_or_IP_ADDRESS>
          HostName:0> set mail-notification username <ROOT_USER@MAIL_DOMAIN>
          HostName:0> save config
        • Currently, it is not possible to view the e-mail notifications settings in Clish (only to configure).
          To verify the e-mail notifications settings in Expert mode:
          1. Connect to command line on Gaia machine.
          2. Log in to Expert mode.
          3. Check the relevant lines in Gaia configuration database - search for Mail Domain:
            [Expert@HostName:0]# grep "Configured_Mail_Domain" /config/db/initial
            Example for "mail.company.com":
            [Expert@HostName:0]# grep 'company' /config/db/initial
            ssmtp:root root_user@mail.company.com
            ssmtp:mailhub mail.company.com
            installer:mail_notifications:user_3@mail.company.com:d_status true
            installer:mail_notifications:user_3@mail.company.com:available true
            installer:mail_notifications:user_2@mail.company.com 1
            installer:mail_notifications:user_2@mail.company.com:i_status true
            installer:mail_notifications:user_2@mail.company.com:d_status false
            installer:mail_notifications:user_2@mail.company.com:available false
            installer:mail_notifications:user_1@mail.company.com 1
            installer:mail_notifications:user_1@mail.company.com:i_status true
            installer:mail_notifications:user_1@mail.company.com:d_status true
            installer:mail_notifications:user_1@mail.company.com:available true
            [Expert@HostName:0]#
            

            Legend:

            Notification category Attribute in Gaia Database Clarification
            Install Status i_status
            • If the category was enabled, then the corresponding attribute will appear with value true.
            • If the category was never enabled, then the corresponding attribute will not appear at all.
            • If the category was never disabled, then the corresponding attribute will appear with value false.
            Download Status d_status
            New Available Packages available
      • HostName:0> set installer policy check-for-updates-period <Time_in_Hours>
        Sets the period, in hours, between checks for available packages in the cloud.

        Note: When updating CPUSE Agent from build 839, it is necessary to restart all Clish daemons
        for this Clish command to become available (does not apply if updating from older CPUSE builds) -
        refer to section "(3) Download the latest build of CPUSE Agent and What's New" -
        Step "(3-C) How to manually install the CPUSE Agent package" - Step 5.

        • Default value = 3 hours
        • Valid values = 0 - 240 hours (set 0 to disable these checks)

        Note: The configured period is saved in Gaia Database in seconds.
        Example for value of 2 hours:

        [Expert@HostName:0]# grep check_for_updates_period /config/db/initial
        installer:check_for_updates_period 7200
      • HostName:0> set installer policy downloads {automatic | manual | scheduled {daily <Time> | monthly <Day> at <Time> | once <date> at <Time> | weekly <Day_of_the_Week> at <Time>}
        Defines how CPUSE Agent should download "Hotfixes" packages

        Specific commands:

        HostName:0> set installer policy downloads automatic
        Configures CPUSE Agent to download packages when they become available

        HostName:0> set installer policy downloads manual
        Configures CPUSE Agent to download packages only manually

        HostName:0> set installer policy downloads scheduled daily <Time>
        HostName:0> set installer policy downloads scheduled monthly <Day> at <Time>
        HostName:0> set installer policy downloads scheduled once <date> at <Time>
        HostName:0> set installer policy downloads scheduled weekly <Day_of_the_Week> at <Time>
        Configures CPUSE Agent to download packages based on a schedule

        These settings control how to download CPUSE packages of "Hotfixes" (does not apply to "Minor Versions (HFAs)" / "Major Versions" packages):

        automatic If enabled, CPUSE Agent downloads packages when they become available:
        • immediately after the Gaia OS boots up
        • each time "Status and Actions" page is accessed in Gaia Portal
        • every time period defined with "set installer policy check-for-updates-period <Time_in_Hours>" command
        manual If enabled, CPUSE Agent downloads packages only manually
        scheduled If enabled, CPUSE Agent downloads packages only at a scheduled time
      • HostName:0> set installer policy periodically-self-update {on | off}
        Defines if CPUSE Agent should periodically check for and installer newer CPUSE builds

        Notes:

        • If this setting is enabled (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for
          download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").

        • If this setting is disabled, then:

          1. If administrator attempts to install any other software update, a warning will appear saying
            that CPUSE (Gaia Software Updates) Agent must be updated first.
          2. The following setting is added to the Gaia Database: installer:self_update_policy_no_permission 1
            (this attribute is removed when this box is checked).
      • HostName:0> set installer policy self-test {auto-rollback | install-policy | network-link-up | start-processes} {on | off}
        Defines which sanity tests CPUSE Agent performs after installing a CPUSE package

        Specific commands:

        HostName:0> set installer policy self-test auto-rollback {on | off}
        HostName:0> set installer policy self-test install-policy {on | off}
        HostName:0> set installer policy self-test network-link-up {on | off}
        HostName:0> set installer policy self-test start-processes {on | off}

        These settings are used for sanity checks after installing a CPUSE package:

        auto-rollback If enabled, CPUSE runs a fall-back procedure if the installed package fails one of the sanity tests
        (automatically restores the version that was active before the package was installed
        and sends a notification that the installation failed)
        install-policy If enabled, CPUSE makes sure that it is possible to install a policy
        network-link-up If enabled, CPUSE makes sure that all the configured network interfaces on the Gaia machine are up
        start-processes If enabled, CPUSE makes sure that Check Point processes are running
      • HostName:0> set installer policy send-cpuse-data {on | off}

        Note: If setting is enabled (default), then Gaia OS sends the following statistics to Check Point about each deployment phase:

        • enabled features (based on license "CK")
        • name of the software update
        • whether the download succeeded
        • whether the installation/rollback succeeded
        • whether the uninstall succeeded
        • build of installed CPUSE Agent
        • list of installed hotfixes
        • if an operation on a package failed (e.g., download / installation), then relevant logs and Check Point Registry

        This information is collected to monitor and improve the Software Updates on the Check Point Download Center.

      3 Download, Install, Import a CPUSE package:

      Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - section "Downloading and Installing with CPUSE - clish".

      HostName:0> installer 
      agent                - Perform Deployment agent actions
      check-for-updates    - Check for new available packages in Check Point cloud
      delete               - Delete package
      download             - Download package
      download-and-install - Download and install package
      import               - Import package
      install              - Install package
      uninstall            - Uninstall package
      upgrade              - Upgrade to a new major version
      verify               - Verify if package is compatible with this machine
      HostName:0>
      

      where the syntax is:

      • HostName:0> installer agent disable

        Disables CPUSE Agent
        Notes:
        • This command disables all CPUSE Agent actions
        • This command survives reboot
        • This command is used with the "installer agent enable" command
          Important: Must wait at least 10 seconds after running the "installer agent disable" command and before running the "installer agent enable" command; and vice versa

        HostName:0> installer agent enable

        Enables CPUSE Agent (if it was disabled with "installer agent disable")
        Notes:
        • This command enables all CPUSE Agent actions
        • This command survives reboot
        • This command is used with the "installer agent disable" command
          Important: Must wait at least 10 seconds after running the "installer agent disable" command and before running the "installer agent enable" command; and vice versa

        HostName:0> installer agent start

        Starts CPUSE Agent (if it was stopped with "installer agent stop")
        Notes:
        • This command starts all CPUSE Agent actions
        • This command survives reboot
        • This command is used with the "installer agent stop" command
          Important: Must wait at least 10 seconds after running the "installer agent stop" command and before running the "installer agent start" command; and vice versa
        • When running this command, the error "NMINST9999  Timeout waiting for response from database server" might appear, although the command worked; if you run this command again, the message "Deployment agent is already running" will appear

        HostName:0> installer agent stop

        Stops CPUSE Agent
        Notes:
        • This command stops all CPUSE Agent actions
        • This command does not survive reboot
        • This command is used with the "installer agent start" command
          Important: Must wait at least 10 seconds after running the "installer agent stop" command and before running the "installer agent start" command; and vice versa

        HostName:0> installer agent update [not-interactive]
        Forces CPUSE Agent to check for and install a newer CPUSE build

      • HostName:0> installer check-for-updates [not-interactive]
        Forces CPUSE Agent to check for new available packages in Check Point cloud

      • HostName:0> installer delete {<Package_Number> | <Package_Name>} [not-interactive]
        Deletes the specified CPUSE package

      • HostName:0> installer download {<Package_Number> | <Package_Name>} [pause | resume | not-interactive]
        Starts the download of the specified CPUSE package

        HostName:0> installer download {<Package_Number> | <Package_Name>} not-interactive
        Starts the download of the specified CPUSE package without waiting for result

        HostName:0> installer download {<Package_Number> | <Package_Name>} pause
        Pauses the download of the specified CPUSE package

        HostName:0> installer download {<Package_Number> | <Package_Name>} resume
        Resumes the download of the specified CPUSE package

      • HostName:0> installer download-and-install {<Package_Number> | <Package_Name>} [not-interactive]
        Downloads and installs the specified CPUSE package in "Hotfixes" category in one step

      • HostName:0> installer import cloud <CPUSE_Identifier> [not-interactive]
        Imports the specified CPUSE package from Check Point cloud

        HostName:0> installer import ftp <IPv4_Address> path <Path> username <Username> [password <Password>] [not-interactive]
        Imports the specified CPUSE package from an FTP server

        HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR> [not-interactive]
        Imports the specified CPUSE package from a local directory

      • HostName:0> installer install {<Package_Number> | <Package_Name>} [not-interactive]
        Installs the specified CPUSE package

      • HostName:0> installer uninstall {<Package_Number> | <Package_Name>} [not-interactive]
        Uninstalls the specified CPUSE package

      • HostName:0> installer upgrade {<Package_Number> | <Package_Name>} [not-interactive]
        Starts the upgrade to Major Version using the specified CPUSE package

      • HostName:0> installer verify {<Package_Number> | <Package_Name>} [not-interactive]}
        Verifies if the specified CPUSE package can be installed without conflicts

      The progress (in per cent) of the download / install / uninstall actions is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
      to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
      and in the output of Clish command "show installer package <Package_Number>".



  • Show / Hide information about Important Messages

    This section (yellow rectangular at the top) shows important static messages - e.g., about CPUSE license, whether a reboot / restart of Check Point services is required.

    Example:

  • Show / Hide information about Important Notifications in status bar

    1. Important notifications appear for several seconds in status bar at the bottom of Gaia Portal in yellow pop-up (these are important messages and are saved in the CPUSE Agent log files /opt/CPInstLog/DeploymentAgent.log.*).

      Example:

    2. To see these important messages, click on the "up arrows" icon on the right side of the status bar pane:

    3. A pop-up window appears:

      • This window displays the log only for the last 10 minutes.
      • Events in this window are displayed in the ascending order (the latest event is at the top)
      • Events in the pop-up are marked by different icons:
        • - Information
        • - Success
        • - Warning
        • - Error

      Example:



  • Show / Hide information about Event Log

    Note: To see complete technical details about the operations performed by CPUSE (Gaia Software Updates) Agent, refer to /opt/CPInstLog/DeploymentAgent.log.* files.

    The general messages from CPUSE Agent are displayed in the Event Log.

    In "Gaia Portal" - go to "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) -
    click on "Status and Actions" page - scroll to the bottom - click on "Event Log" button:

    Notes:

    • This window displays the general messages only for the last 10 minutes.
    • Events in this window are displayed in the ascending order (the latest event is at the top).
    • To see the full log file, click on the Save full event log button in the upper right corner.
      Web browser will save the /opt/CPInstLog/DA_UI.log file to your computer (events in this file appear in the descending order - the latest event is at the bottom).
    • Events in the pop-up are marked by different icons:
      • - Information
      • - Success
      • - Warning
      • - Error

    Example:

  • Show / Hide how to check the Take number of the installed Gaia OS

    Gaia Take number is displayed near the version.

    Example:

  • Show / Hide how to see the list of all currently installed hotfixes / how to see the build of the installed CPUSE Agent

    To see the list of currently installed hotfixes, or version (build) of the installed CPUSE Deployment Agent:

    1. Click on the "Hotfixes" link near the version.

      Example:

    2. A pop-up "Hotfixes Information" appears.
      Build of the installed CPUSE Deployment Agent is displayed at the bottom.

      Note: You can select and copy the entire text inside this window.

      Example:



  • Show / Hide information about the help icon

    It is a link to this article (sk92449):

  • Show / Hide information about the "More" menu / right-click menu

    Additional operations on the package are available in the "More" button menu, or in the right-click menu.

    The operations vary depending on the status of the package:

    • Operations for package in status "Available for Download":

    • Operations for package in status "Downloaded Successfully":

    • Operations for package in status "Installed, self-test passed":



  • Show / Hide how to save a CPUSE package install log in Gaia Portal

    After a package is installed, user can see the package installation log in Gaia Portal in one of these two ways:

    Note: The package installation log is located in /opt/CPInstLog/ directory.

    Way 1 Way 2
    1. Select the installed package
    2. Click on More button on the toolbar
    3. Click on Save Install Log

    1. Right-click on the installed package
    2. Click on Save Install Log



  • Show / Hide information about categories of CPUSE packages

    All packages (available and installed) are displayed on Status and Actions page in categories (click on the category title to see the explanation):

    Category Explanation (refer to sk95746)
    Hotfixes Check Point's software updates and Jumbo Hotfix Accumulators, for security fixes and feature improvement.
    Released after fixes for issue(s) were developed and tested.
    Minor Versions (HFAs) Maintenance releases on top of major releases. Include the latest fixes released to customers.
    Major Versions Introduce new functionalities and cutting edge innovative technologies to the market while maintaining high product quality.

    All packages are displayed in a hierarchy - parent package and its child packages are nested.

    Notes (see example screenshots below):

    • Each category can be collapsed or expanded by clicking on the category title.
      When clicking on the category title, the explanation about the category is displayed in the right section.
    • The number of packages in each category appears to the right of the category title (in the end of the line).
      The displayed number of packages depends on the current filter (see the next bullet).
    • If there are no available / installed packages in the category, then no number will be displayed.
    • If all the recommended packages in the category were already installed, then it will show "Aligned with the latest version".
    • The recommended software updates are marked by a yellow star on the package icon
      (Note: this yellow star appears only if the Gaia machine is connected to the Internet (this information is obtained from Check Point Cloud).
    • Software packages (e.g., hotfixes) that were installed using Legacy CLI will be displayed with status "Installed" and
      will be grayed out (refer to sk107320 - How to know if a hotfix on Gaia OS was installed via CPUSE of via Legacy CLI).
    • Software packages that were installed as part of another package (an accumulative hotfix that includes several hotfixes inside,
      or an HFA that includes several package) will be displayed with status "Installed As Part Of Another Package" and will be grayed out.

    Examples:

    • Only recommended packages:

    • All packages:



  • Show / Hide how to filter the displayed CPUSE packages

    You can use the filter button near the help icon and select the packages you wish to see:

    • Recommended (default)
    • Installed
    • All
  • Show / Hide how to see information about a CPUSE package

    Click on a package to see additional information about the package.
    This information is displayed in the right section.
    The following items are displayed about the package:

    • File Name
    • Package Size
    • Package Type
    • Release Date
    • Downloaded On
    • Installed On
    • Status
    • Important Message
    • Description
    • Contained in
    • Contains the following packages

    Example:



  • Show / Hide how to export a CPUSE package in Gaia Portal

    A package that was already downloaded / installed, can be exported from this Gaia machine for backup purposes, or to be
    transferred to another Gaia machine (for example, if another Gaia machine is disconnected from the Internet):

    Note: Currently, this operation is available only in Gaia Portal.

    1. Export the package in one of these two ways:

      Way 1 Way 2
      1. Select the package
      2. Click on More button on the toolbar
      3. Click on Export Package

      1. Right-click on the package
      2. Click on Export Package

    2. The package will be saved on your computer as a special TAR archive file that contains the necessary files.



  • Show / Hide how to import a CPUSE package

    Note: Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already
    downloaded / installed (see the instructions how to export a CPUSE package in Gaia Portal).

    In Gaia Portal In Gaia Clish
    1. Connect to Gaia Portal on the target Gaia OS.

    2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

    3. Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.

      In Gaia R77.20 and above: In Gaia R77.10 and lower:
    4. In the upper right corner, click on the Import Package button:

    5. In the Import Package window, click on Browse... - select the CPUSE offline package (TGZ file) / exported package (TAR file) - click on Import.

      Note: If the following error is displayed, then wrong package was uploaded (contact Check Point Support for assistance):

      Import Failed
      Cannot import package <Name_of_File>. It is not a valid CPUSE package.
      Refer to the package's official documentation to get a list of compatible machines. For more information, contact Check Point Technical Services.

      Example:

      • Popup at the bottom:
      • Event Log entry:

    Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    1. Transfer the CPUSE offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_package/).

    2. Connect to command line on the target Gaia OS.

    3. Log in to Clish.

    4. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    5. Import the package from the hard disk:

      Note: When import completes, this package is deleted from the original location.

      HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR>

      Example:
      HostName:0> installer import local /var/log/path_to_pkg/Check_Point_Hotfix_R77.tgz
    6. Show the imported packages:

      HostName:0> show installer packages imported


  • Show / Hide how to verify a CPUSE package

    Verify the package to check whether this package can be installed without conflicts:

    In Gaia Portal In Gaia Clish
    1. Connect to Gaia Portal.

    2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

    3. Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.

      In Gaia R77.20 and above: In Gaia R77.10 and lower:
    4. Initiate the Verifier:

      • Either select the package - click on the More button on the toolbar - click on Verifier:

      • Or right-click on the package - click on Verifier:

    5. Result of this test will be displayed in a pop-up.

      • Installation is allowed
      • Upgrade is allowed

      Examples:

      • For Hotfix package

      • For Minor / Major Version

    Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    1. Connect to command line on the target Gaia OS.

    2. Log in to Clish.

    3. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    4. Show the relevant packages:

      HostName:0> show installer packages {available-for-download | downloaded | imported | recommended}

      Specific commands:
      HostName:0> show installer packages available-for-download
      HostName:0> show installer packages downloaded
      HostName:0> show installer packages imported
      HostName:0> show installer packages recommended
    5. Verify the package - check whether this package can be installed without conflicts:

      HostName:0> installer verify[press Space key][press Tab key]
      HostName:0> installer verify <Package_Number>

      Result of this test should be:

      • For Hotfix package:

        Result: Installation is allowed
        Status: Available for Install
      • For Minor / Major Version:

        Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
        Status: Available for Install


  • Show / Hide how to add a CPUSE package for specific hotfix from Check Point Cloud

    Note: This requires connection to the Internet and to Check Point Cloud (refer to section "System requirements and limitations" -
    requirement "CPUSE communication with Check Point cloud" above, and to sk83520).

    In Gaia Portal In Gaia Clish
    1. Connect to Gaia Portal.

    2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

    3. Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.

      In Gaia R77.20 and above: In Gaia R77.10 and lower:
    4. Click on the Add hotfixes from the cloud button:

    5. A pop-up appears:

    6. Contact Check Point Support to get the relevant CPUSE Identifier.

      If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste
      the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:

      Notes:

      • Currently, only the following keys are supported in this field: Left/Right arrow, Delete, Backspace.
      • Downloading the hotfix by its URL is not supported.
      • Packages that are not suitable for this machine, will not be available.

      Example:

      1. Copy the hotfix name from Download Page on Check Point site:
      2. Paste the hotfix name in the pop-up search window:
    7. Click on the magnifying glass icon to start the search:

    8. When the package is found, it will be displayed as a link along with its title and release date.

      Example:

    9. Click on the package to add it to the list of available packages.

      Example:

    10. The package will be added with status Available for Download and the filter will automatically change to show all packages.

    Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    1. Connect to command line on Gaia machine.

    2. Log in to Clish.

    3. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    4. Import the package from the Check Point Cloud:

      HostName:0> installer import cloud <CPUSE_Identifier>

      Contact Check Point Support to get the relevant CPUSE Identifier.

      Note: Packages that are not suitable for this machine, will not be available.

      If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste
      the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:

      Example:

    5. Show the imported packages:

      HostName:0> show installer packages imported


  • Show / Hide how to configure CPUSE Software Updates Policy

    In Gaia Portal In Gaia Clish

    Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - section "Configuring a CPUSE Policy - WebUI".

    1. Connect to Gaia Portal.

    2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

    3. Navigate to:

      In Gaia R77.20 and above: In Gaia R77.10 and lower:
      1. Upgrades (CPUSE) section
      2. Software Updates Policy page

      1. Software Updates section
      2. Policy page

    4. Configure the desired policy:

      Note: After any change in settings, you need to click on "Apply" button.

      • Download Hotfixes

        These settings control how to download CPUSE packages of "Hotfixes" (does not apply to "Minor Versions (HFAs)" / "Major Versions" packages).

        automatic If enabled, CPUSE Agent downloads packages when they become available.
        CPUSE checks for updates:
        • immediately after the Gaia OS boots up
        • each time "Status and Actions" page is accessed in Gaia Portal
        • every time period defined by "Check for updates period" value
        manual If enabled, CPUSE Agent downloads packages only manually
        scheduled If enabled, CPUSE Agent downloads packages only at a scheduled time
      • Send download and installation data of Software Updates to Check Point

        If this box is checked (default), then Gaia OS sends the following statistics to Check Point about each deployment phase:

        • enabled features (based on license "CK")
        • name of the software update
        • whether the download succeeded
        • whether the installation/rollback succeeded
        • whether the uninstall succeeded
        • build of installed CPUSE Agent
        • list of installed hotfixes
        • if an operation on a package failed (e.g., download / installation), then relevant logs and Check Point Registry

        This information is collected to monitor and improve the Software Updates on the Check Point Download Center.

      • Self Tests to perform

        These settings are used for sanity checks after installing a CPUSE package:

        Start Check Point Processes If enabled, CPUSE makes sure that Check Point processes are running
        Install Policy If enabled, CPUSE makes sure that it is possible to install a policy
        Network Link Up If enabled, CPUSE makes sure that all the configured network interfaces on the Gaia machine are up
      • Check for updates period

        Sets the period, in hours, between checks for available packages in the cloud.

        • Default value = 3 hours
        • Valid values = 0 - 240 hours (set 0 to disable these checks)

        Note: The configured period is saved in Gaia Database in seconds.
        Example for value of 2 hours:

        [Expert@HostName:0]# grep check_for_updates_period /config/db/initial
        installer:check_for_updates_period 7200
      • Self test - Auto-rollback upon failure

        This setting is used for sanity check after installing a CPUSE package.
        If this box is checked, then CPUSE runs a fall-back procedure if the installed CPUSE package fails one of the sanity tests enabled in the Self Tests to perform sub-section - CPUSE would automatically restore the version that was active before the CPUSE package was installed and send a notification that the installation failed.
      • Periodically update new Deployment Agent version (recommended)

        • If this box is checked (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").

        • If this box is cleared, then:

          • Important Messages (yellow section at the top) will show "click here" to download the new version.
          • If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
          • The following setting is added to the Gaia Database: installer:self_update_policy_no_permission 1 (this attribute is removed when this box is checked).

    Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - section "Configuring a CPUSE Policy - clish".

    Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    1. Connect to command line on Gaia machine.

    2. Log in to Clish.

    3. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    4. Set the desired CPUSE (Gaia Software Updates) Agent Policy:

      • HostName:0> set installer policy check-for-updates-period <Time_in_Hours>

        Sets the period, in hours, between checks for available packages in the cloud.

        Note: When updating CPUSE Agent from build 839, it is necessary to restart all Clish daemons for this Clish command to become available (does not apply if updating from older CPUSE builds) - refer to section "(3) Download the latest build of CPUSE Agent and What's New" - Step "(3-C) How to manually install the CPUSE Agent package" - Step 5.

        • Default value = 3 hours
        • Valid values = 0 - 240 hours (set 0 to disable these checks)

        Note: The configured period is saved in Gaia Database in seconds.
        Example for value of 2 hours:

        [Expert@HostName:0]# grep check_for_updates_period /config/db/initial
        installer:check_for_updates_period 7200
      • HostName:0> set installer policy downloads {automatic | manual | scheduled {daily <Time> | monthly <Day> at <Time> | once <date> at <Time> | weekly <Day_of_the_Week> at <Time>}
        Specific commands:
        HostName:0> set installer policy downloads automatic
        HostName:0> set installer policy downloads manual
        HostName:0> set installer policy downloads scheduled daily <Time>
        HostName:0> set installer policy downloads scheduled monthly <Day> at <Time>
        HostName:0> set installer policy downloads scheduled once <date> at <Time>
        HostName:0> set installer policy downloads scheduled weekly <Day_of_the_Week> at <Time>

        These settings control how to download CPUSE packages (applies only to "Hotfixes" packages and to "Minor Versions (HFAs)" packages - and does not apply to "Major Versions" packages):

        automatic If enabled, CPUSE Agent downloads packages when they become available:
        • immediately after the Gaia OS boots up
        • each time "Status and Actions" page is accessed in Gaia Portal
        • every time period defined with "set installer policy check-for-updates-period <Time_in_Hours>" command
        manual If enabled, CPUSE Agent downloads packages only manually
        scheduled If enabled, CPUSE Agent downloads packages only at a scheduled time
      • HostName:0> set installer policy periodically-self-update {on | off}

        Notes:

        • If this setting is enabled (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").

        • If this setting is disabled, then:

          1. If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
          2. The following setting is added to the Gaia Database: installer:self_update_policy_no_permission 1 (this attribute is removed when this box is checked).
      • HostName:0> set installer policy self-test {auto-rollback | install-policy | network-link-up | start-processes} {on | off}

        Specific commands:

        HostName:0> set installer policy self-test auto-rollback {on | off}
        HostName:0> set installer policy self-test install-policy {on | off}
        HostName:0> set installer policy self-test network-link-up {on | off}
        HostName:0> set installer policy self-test start-processes {on | off}

        These settings are used for sanity checks after installing a CPUSE package:

        auto-rollback If enabled, CPUSE runs a fall-back procedure if the installed package fails one of the sanity tests
        (automatically restores the version that was active before the package was installed
        and sends a notification that the installation failed)
        install-policy If enabled, CPUSE makes sure that it is possible to install a policy
        network-link-up If enabled, CPUSE makes sure that all the configured network interfaces on the Gaia machine are up
        start-processes If enabled, CPUSE makes sure that Check Point processes are running
      • HostName:0> set installer policy send-cpuse-data {on | off}

        Note: If setting is enabled (default), then Gaia OS sends the following statistics to Check Point about each deployment phase:

        • enabled features (based on license "CK")
        • name of the software update
        • whether the download succeeded
        • whether the installation/rollback succeeded
        • whether the uninstall succeeded
        • build of installed CPUSE Agent
        • list of installed hotfixes
        • if an operation on a package failed (e.g., download / installation), then relevant logs and Check Point Registry
        This information is collected to monitor and improve the Software Updates on the Check Point Download Center.


  • Show / Hide how to configure CPUSE Software Updates Mail Notifications

    In Gaia Portal In Gaia Clish

    Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - section "Configuring CPUSE Mail Notifications - WebUI".

    1. Connect to Gaia Portal.

    2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

    3. Navigate to:

      In Gaia R77.20 and above: In Gaia R77.10 and lower:
      1. Upgrades (CPUSE) section
      2. Click on Software Updates Policy page

      1. Software Updates section
      2. Click on Software Updates Notifications page

    4. Configure the desired Mail Notifications:

      Note: After any change in settings, you need to click on "Apply" button.

      • This setting configures Gaia OS to sent e-mail notifications about Software Updates for following categories:

        • Download Status
        • Install Status
        • New Available Packages
      • If mail server is not configured yet, then:

        1. Click on the relevant link:
          In order to configure a mail server, use the Mail Notification page, found in the advanced view mode.
        2. System Management section - Mail Notification page will open.
          Configure the mail server and the root user for this mail server.
          Click on "Apply" button.
          Example:
        3. Navigate back to:
          • in Gaia R77.20 and above:
            Upgrades (CPUSE) section - Software Updates Policy page - Mail Notifications sub-section
          • in Gaia R77.10 and lower:
            Software Updates section - Software Updates Notifications page
        4. Click on Add button to add a user, to whom e-mail notifications should be sent.
        5. Add the user's e-mail address and select for which categories to send the e-mail notifications - click on "OK" button.
          Example:
        6. By selecting the user's e-mail address in the list, you can see and change on-the-fly the categories, for which the e-mail notifications are sent to this user.

    Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - section "Configuring CPUSE Mail Notifications - clish".

    Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    1. Connect to command line on Gaia machine.

    2. Log in to Clish.

    3. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    4. Set the desired CPUSE (Gaia Software Updates) Agent Mail Notifications:

      • HostName:0> set installer mail-notifications {<Package_Number> | <e-mail>} {download-status | install-status | new-available-packages} {on | off}
        Specific commands:
        HostName:0> set installer mail-notifications <Package_Number> download-status {on | off}
        HostName:0> set installer mail-notifications <Package_Number> install-status {on | off}
        HostName:0> set installer mail-notifications <Package_Number> new-available-packages {on | off}
        or
        HostName:0> set installer mail-notifications <e-mail> download-status {on | off}
        HostName:0> set installer mail-notifications <e-mail> install-status {on | off}
        HostName:0> set installer mail-notifications <e-mail> new-available-packages {on | off}
        Notes:
        • This setting configures Gaia OS to sent e-mail notifications about Software Updates for following categories:
          1. Download Status
          2. Install Status
          3. New Available Packages
        • If mail server is not configured yet, then configure the mail server and the root user for that mail server:
          HostName:0> set mail-notification server <SERVER_HOST_or_IP_ADDRESS>
          HostName:0> set mail-notification username <ROOT_USER@MAIL_DOMAIN>
          HostName:0> save config
        • Currently, it is not possible to view the e-mail notifications settings in Clish (only to configure).
          To verify the e-mail notifications settings in Expert mode:
          1. Connect to command line on Gaia machine.
          2. Log in to Expert mode.
          3. Check the relevant lines in Gaia configuration database - search for Mail Domain:
            [Expert@HostName:0]# grep "Configured_Mail_Domain" /config/db/initial
            Example for "mail.company.com":
            [Expert@HostName:0]# grep 'company' /config/db/initial
            ssmtp:root root_user@mail.company.com
            ssmtp:mailhub mail.company.com
            installer:mail_notifications:user_3@mail.company.com:d_status true
            installer:mail_notifications:user_3@mail.company.com:available true
            installer:mail_notifications:user_2@mail.company.com 1
            installer:mail_notifications:user_2@mail.company.com:i_status true
            installer:mail_notifications:user_2@mail.company.com:d_status false
            installer:mail_notifications:user_2@mail.company.com:available false
            installer:mail_notifications:user_1@mail.company.com 1
            installer:mail_notifications:user_1@mail.company.com:i_status true
            installer:mail_notifications:user_1@mail.company.com:d_status true
            installer:mail_notifications:user_1@mail.company.com:available true
            [Expert@HostName:0]#
            

            Legend:

            Notification category Attribute in Gaia Database Clarification
            Install Status i_status
            • If the category was enabled, then the corresponding attribute will appear with value true.
            • If the category was never enabled, then the corresponding attribute will not appear at all.
            • If the category was never disabled, then the corresponding attribute will appear with value false.
            Download Status d_status
            New Available Packages available


  • Show / Hide how to download SmartConsole package from Gaia Portal

    Note: SmartConsole package will be available only on machine that is configured as Security Management Server / Multi-Domain Security Management Server, or as a StandAlone (Security Management Server and Security Gateway).

    In Gaia Portal In Gaia Clish
    1. Connect to Gaia Portal.

    2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

    3. Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.

      In Gaia R77.20 and above: In Gaia R77.10 and lower:
    4. Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):

    5. SmartConsole package appears in category "Minor Versions (HFAs)".

    6. Select the SmartConsole package.

    7. Download the SmartConsole package:

      • Either select the package - click on Download button on the toolbar.

        Example:

      • Or right-click on the package and click on Download:

    8. Install the SmartConsole package:

      • Either select the package - click on Install Update button on the toolbar.

        Example:

      • Or right-click on the package - click on Install Update:

    9. The SmartConsole package will be unpacked.

    10. Gaia Portal will offer to download the SmartConsole.exe file.

      Example:

    11. The SmartConsole package can now be downloaded from Gaia Portal in the following places:

      • Go to Overview section - click on Download Now button:

      • Go to Maintenance section - click on Download Smart Console page:

    Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".

    1. Connect to command line on Gaia machine.

    2. Log in to Clish.

    3. Acquire the lock over Gaia configuration database:

      HostName:0> lock database override
    4. Check the available packages:

      HostName:0> show installer packages available-for-download

      Note: SmartConsole package appears in category "HFAs".

      Example:

      HostName:0> show installer packages available-for-download
      **  ************************************************************************* **
      **                                 Hotfixes                                   **
      **  ************************************************************************* **
      ... ... ...
      **  ************************************************************************* **
      **                                   HFAs                                     **
      **  ************************************************************************* **
      Display name                                      Status
      R77 Hotfix for sk95056 (UDP Drops)                Available for Download
      R77 SmartConsole for Windows                      Available for Download
      R77.20 Gaia Software Updates Package for R77      Available for Download
      R77.30 Gaia Software Updates Package for R77      Available for Download
      **  ************************************************************************* **
      **                                  Majors                                    **
      **  ************************************************************************* **
      ... ... ...
      HostName:0>
      

      HostName:0> show installer package[press Space key][press Tab key]
      HostName:0> show installer package <Package_Number>

      Example:

      HostName:0> show installer package 16
      Display name:     R77 SmartConsole for Windows
      Description:       Check Point R77 SmartConsole for Windows:
        1. Download SmartConsole package on the Gaia server. 
        2. Install the package - It will be automatically downloaded
        to your client machine, and will also be available in Overview Download Now.
      Size:             292.51 MB
      Type:             HFA
      Status:           Available for Download
      Requires reboot:  No
      Recommended:      No
      Contains:         None
      Contained-in:     None
      Downloaded on:    N/A
      Imported on:      N/A
      Installed on:     N/A
      Installation log: N/A
      HostName:0>
      
    5. Download the SmartConsole package:

      Note: The download progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) /
      to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page,
      and in the output of Clish command "show installer package <Package_Number>".

      HostName:0> installer download[press Space key][press Tab key]
      HostName:0> installer download <Package_Number>

      Example:

      HostName:0> show installer package 16
      Display name:     R77 SmartConsole for Windows
      Description:       Check Point R77 SmartConsole for Windows:
        1. Download SmartConsole package on the Gaia server. 
        2. Install the package - It will be automatically downloaded
        to your client machine, and will also be available in Overview Download Now.
      Size:             292.51 MB
      Type:             HFA
      Status:           Downloading (18%)
      Requires reboot:  No
      Recommended:      No
      Contains:         None
      Contained-in:     None
      Downloaded on:    N/A
      Imported on:      N/A
      Installed on:     N/A
      Installation log: N/A
      HostName:0>
      
    6. Install the SmartConsole package:

      Note: The installation progress (in per cent) is displayed in the output of Clish command "show installer package <Package_Number>", and
      in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.

      HostName:0> installer install[press Space key][press Tab key]
      HostName:0> installer install <Package_Number>

      Example:

      HostName:0> show installer package 16
      Display name:     R77 SmartConsole for Windows
      Description:       Check Point R77 SmartConsole for Windows:
        1. Download SmartConsole package on the Gaia server. 
        2. Install the package - It will be automatically downloaded
        to your client machine, and will also be available in Overview Download Now.
      Size:             292.51 MB
      Type:             HFA
      Status:           Installing (30%)
      Requires reboot:  No
      Recommended:      No
      Contains:         None
      Contained-in:     None
      Downloaded on:    Tue Mar 15 15:15:22 2016
      Imported on:      N/A
      Installed on:     Tue Mar 15 15:27:53 2016
      Installation log: /opt/CPInstLog//install_CPUpdates_R77_SC.log
      HostName:0>
      
    7. The SmartConsole package will be unpacked.

    8. If Gaia Portal is currently opened, then it will offer to download the SmartConsole.exe file.

      Example:

    9. The SmartConsole package can now be downloaded from Gaia Portal in the following places:

      • Go to Overview section - click on Download Now button:

      • Go to Maintenance section - click on Download Smart Console page:



 

(5) Architecture and Design

Show / Hide this section

The CPUSE Agent (Gaia Software Updates Agent) is installed on every Gaia-based machine (R75.40 and above) and it is responsible for all software deployment process on that machine.

Table of Contents for this section:

  1. Relevant Software Updates
  2. CPUSE Agent daemon
  3. Software update installation process
  4. CPUSE verification checks
  5. Suppress Reboot behavior

(5-A) Architecture and Design - Relevant Software Updates

All relevant software updates are uploaded to Check Point Download Center.
CPUSE Agent displays software updates that are relevant only to this specific machine.

Note: For each official release and recommended hotfix, CPUSE Offline package can be downloaded from the relevant solution article.

Software Updates Description
Where / how new
software updates are shown
  • In Gaia Portal

    If new software updates are available, they are shown in Upgrades (CPUSE) section (in Gaia OS R77.20 and above) /
    to Software Updates section (in Gaia OS R75.40 - R77.10) - Status and Actions page with status Available for Download.
  • In Gaia Clish

    If new software updates are available, they are shown in the output of show installer packages available-for-download command.
How new software
updates are installed

Packages are installed based on the CPUSE (Gaia Software Updates) Agent Policy - either manually, on schedule, or automatically.

  • In Gaia Portal, refer to:

    In Gaia OS R77.20 and above: In Gaia OS R77.10 and lower:
    1. Upgrades (CPUSE) section
    2. Software Updates Policy page
    3. Download Hotfixes sub-section
    1. Software Updates section
    2. Policy page
    3. Download Hotfixes sub-section
  • In Gaia Clish, refer to:

    Output of the show installer policy downloads command.
Where are downloaded
software updates located

All downloaded software updates will be located in $DADIR/repository/tmp/ directory, which actually contains symbolic links to
/var/log/CPda/repository/tmp/ directory, where the downloaded software updates are physically stored:

Example from CPUSE Agent build 747:
HostName:0> show installer available_packages      
List of available packages for download:
[1].    BUNDLE_R75_46   - Check_Point_R75.45_R75.46.tgz (224.50 MB)     - Check_Point_R75.45_R75.46.tgz
HostName:0>

[Expert@HostName:0]# ls -lR $DADIR/repository/
/opt/CPda/repository:
total 0
lrwxrwxrwx 1 admin root 28 Mar  3 14:16 tmp -> /var/log/CPda/repository/tmp
[Expert@HostName:0]#

[Expert@HostName:0]# ls -lL $DADIR/repository/tmp/
total 12
drwx------ 2 admin root 4096 Mar 13 12:52 CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46
drwx------ 2 admin root 4096 Mar  3 13:50 CheckPoint#DeploymentAgent#All#6.0#2#5#B339
drwx------ 2 admin root 4096 Mar  3 13:51 CheckPoint#fw1#All#6.0#2#5#HOTFIX_FOXX_HF_HA40_041
[Expert@HostName:0]#

[Expert@HostName:0]# ls -lR /var/log/CPda/repository/tmp/
/var/log/CPda/repository/:
total 8
drwx------ 2 admin root 4096 Mar 13 12:56 CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46
drwx------ 5 admin root 4096 Mar  3 14:18 tmp

/var/log/CPda/repository/CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46:
total 230120
-rw-rw---- 1 admin root 235401183 Mar 13 12:56 Check_Point_R75.45_R75.46.tgz
-rw-rw---- 1 admin root       250 Mar 13 12:56 description

/var/log/CPda/repository/tmp:
total 12
drwx------ 2 admin root 4096 Mar 13 12:56 CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46
drwx------ 2 admin root 4096 Mar  3 13:50 CheckPoint#DeploymentAgent#All#6.0#2#5#B339
drwx------ 2 admin root 4096 Mar  3 13:51 CheckPoint#fw1#All#6.0#2#5#HOTFIX_FOXX_HF_HA40_041

/var/log/CPda/repository/tmp/CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46:
total 0

/var/log/CPda/repository/tmp/CheckPoint#DeploymentAgent#All#6.0#2#5#B339:
total 0

/var/log/CPda/repository/tmp/CheckPoint#fw1#All#6.0#2#5#HOTFIX_FOXX_HF_HA40_041:
total 0
[Expert@HostName:0]# 

 

(5-B) Architecture and Design - CPUSE Agent daemon

Architecture and Design Description
Main directory /opt/CPda/
(environment variable $DADIR)
Main daemon $DADIR/bin/DAService
Log files
  • /opt/CPInstLog/DeploymentAgent.log

    Notes:

    • Exists in all builds of CPUSE Agent.
    • Contains detailed technical log for administrators and for troubleshooting.
    • This log file is rotated when its size reaches 2 GB.
    • Up to 10 rotated files are kept (DeploymentAgent.log.1, DeploymentAgent.log.2, etc.).
  • /opt/CPInstLog/DA_UI.log

    Notes:

    • Exists in CPUSE Agent builds 710 and above.
    • Contains general messages for users.
    • This log file is not rotated.
    • The last 10 minutes of the this log file are displayed in the "Event Log":
      In "Gaia Portal" - go to "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - click on "Status and Actions" page - scroll to the bottom - click on "Event Log" button.
How to check the current
build of the CPUSE Agent
  • In Gaia Portal

    1. Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and above) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.

      In Gaia OS R77.20 and above: In Gaia OS R77.10 and lower:
    2. Click on the "Hotfixes" link near the version.

      Example:

    3. A pop-up "Hotfixes Information" appears.
      Version (build) of the installed Deployment Agent is displayed at the bottom.

      Example:

  • In Gaia Clish

    1. Connect to command line on Gaia machine.

    2. Log in to Clish.

    3. Run this command:

      HostName:0> show installer status build

      Example output:

      Build number: 974 (agent build is up to date)
  • In Expert mode

    1. Connect to command line on Gaia machine.

    2. Log in to Expert mode.

    3. Run this command:

      [Expert@HostName:0]# cpvinfo $DADIR/bin/DAService | grep -E "Build|Minor"

      Example output:

      Build Number = 974
      Minor Release = knockout_ms1_ga
How to manually start
the CPUSE Agent daemon
  1. Enable monitoring of the CPUSE Agent daemon by Check Point WatchDog:

    [Expert@HostName:0]# $DADIR/bin/dastart

    Which will run the following command:
    $CPDIR/bin/cpwd_admin start -name DASERVICE -path "/opt/CPda/bin/DAService_script" -command "DAService_script"
  2. Manually start the CPUSE Agent daemon:

    • Either in Gaia Clish:

      HostName:0> installer agent start
    • Or in Expert mode:

      [Expert@HostName:0]# DAClient start
How to manually stop
the CPUSE Agent daemon
  1. Disable monitoring of the CPUSE Agent daemon by Check Point WatchDog:

    [Expert@HostName:0]# $DADIR/bin/dastop

    Which will run this command:
    cpwd_admin stop -name DASERVICE
  2. Manually stop the CPUSE Agent daemon:

    • Either in Gaia Clish:

      HostName:0> installer agent stop
    • Or in Expert mode:

      [Expert@HostName:0]# DAClient stop

 

(5-C) Architecture and Design - Software update installation process

When started, installation process is automatic and does not require any interaction from the user.

Which package is installed Installation process
Hotfix, or Minor Version
  1. Pre-install validation (installation type (GW/MGMT), package validation, disk space, CRs conflicts, version compatibility).
    For details about verification checks run by CPUSE, refer to sub-section (5-D) CPUSE verification checks.
  2. Unpack the new CPUSE package.
  3. Backup the current CPUSE package.
  4. Stop Check Point services ('cpstop').
  5. Prepare diff-files (what exactly should be replaced).
  6. Replace target files. Rollback, if installation fails.
  7. Register the installed package in Check Point Registry.
  8. Reboot (automatically) / Start Check Point services ('cpstart').
  9. Self-test.
  10. Rollback (uninstall), if self-test failed (only if this option is enabled in the CPUSE policy).
Major Version (Upgrade)
  1. Pre-install validation (installation type (GW/MGMT), package validation, disk space, CRs conflicts, version compatibility,
    machine type (Check Point Appliance/Open Server), upgrade path).
    For details about CPUSE verification checks, refer to sub-section (5-D) CPUSE verification checks.
  2. Create new disk partition.
  3. Install new version files onto the new disk partition.
  4. Configure new version, migrate the relevant configuration
    (Database on Management Server, SIC, Licenses,
    FireWall / VPN / SecureXL / CoreXL / Hardware configuration on Security Gateway).
  5. Setup products on the new disk partition.
  6. Reboot the machine from the new partition.
  7. Import database (on Management Server), last products configurations, fetch policy (on Security Gateway).
  8. Run post-install self-tests (as configured before the installation).

 

(5-D) Architecture and Design - CPUSE verification checks

  • Pre-Install verifications:

    As part of the "Verify" actions, or at the start of every installation, CPUSE Agent runs several tests to make sure the package is compatible for the installation:

    1. Available disk space
    2. Content validation (conflicts with installed content)
    3. Package is not corrupted

    On Security Management Server / Multi-Domain Security Management Server, at the beginning of an upgrade, CPUSE Agent automatically runs the Pre-Upgrade Verifier - a validation tool, similar to the pre-upgrade verifier that runs as a part of the Management Server migration process.

    In case of an error in one of the verification tests, the administrator is required to first follow the instructions and resolve the issue, and only then to start the upgrade again.

  • Post-Install self-tests:

    CPUSE Agent has a self-test feature that runs after installation and checks whether the installation has succeeded - and its purpose is to validate that the Gaia OS machine is up and running.

    Three checks can be configured to run:

    1. Check Point daemons that were up and running prior to installation, are up and running post installation (enabled by default)
    2. Local policy-fetch works (disabled by default)
    3. Network links that were up prior to installation, are up post installation (disabled by default)

    Administrator can enable the option to automatically roll back the installation in case of a self-test failure.
    This option is disabled by default.
    Therefore, by default, there is no roll back during a self-test failure.

    The self-test configuration is controlled:

    • In Gaia Portal, navigate to Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click on Policy.
    • In Gaia Clish, refer to set installer policy ... commands

    Please note the self-test failure condition is different from a regular installation failure - during a regular installation failure, there is an automatic roll back and the machine returns to a point before the installation started.

  • All CPUSE packages are signed by Check Point using an SHA-256 digital signature since April 2015.
    Until then, CPUSE packages were signed by MD5 and SHA-1 digital signature.

    Note: If CPUSE is served from an on-premises Private ThreatCloud, then all CPUSE packages are signed at the source (i.e., by Check Point) using an ECDSA P-521/SHA-512 digital signature.

  • CPUSE Agent performs SHA-256 signature verification and MD5 integrity verification of the downloaded files.
    If the either verification fails, the download is considered as failed.

 

(5-E) Architecture and Design - Suppress Reboot behavior

At the beginning of every installation / uninstall of a Hotfix or Minor Version, CPUSE Agent asks the user whether to perform a reboot automatically when install / uninstall completes. The purpose of the suppress reboot functionality is to allow the administrator to perform post-install / post-uninstall actions (that also require reboot) and thus reduce the number of reboots.

If administrator chooses to suppress the automatic reboot, then the CPUSE Agent will not reboot the machine automatically. However, some of the Gaia OS functionality will be blocked:

  • After installation of a Hotfix:

    • No additional actions are allowed for the installed package (except exporting the package and deleting the package from disk)
    • All actions on other packages are allowed
  • After installation / uninstall of a Minor Version:

    • All actions on all packages are blocked (except exporting the package and deleting the package from disk)
    • "All actions are disabled until you perform a reboot" static message is displayed in Gaia Portal
    • "Operation canceled, All actions currently disabled - pending machine reboot" is returned when running any Clish command (except for "show" commands)

Important Note: During the installation / uninstall of a package, all Check Point services are stopped (cpstop). Therefore, it is strongly recommended to complete all the necessary maintenance operations and reboot the machine as soon as possible, to restore the normal operation of Check Point software. For example, if this machine is a Security Gateway, then while Check Point services are stopped, it remains in an unsecured state.

 

Show / Hide this section

# Category Related solutions
1 Connectivity to
Check Point servers
2 Update of CPUSE Agent
3 Installation / uninstall
of CPUSE packages
4 Installation / uninstall of
Jumbo Hotfix Accumulators
5 CPUSE Agent does
not work correctly
6 Additional articles

 

(7) Information about older CPUSE builds

Show this section
  • Show / Hide information about Gaia Software Updates Agent versions from 1127 to 1272

    • Available options in Gaia Portal

      • Import Package

        On the toolbar, click on the More button and click on Import Package.

        Important Note: This option was moved from the More button to the main page (upper right corner) starting in CPUSE Agent Build 1272.



  • Show / Hide information about Gaia Software Updates Agent versions from 747 to 1127

    • Available options in Gaia Portal

      • Legacy Upgrade to the next Major Version

        Important Note: This option was removed from Gaia Portal starting in CPUSE Agent Build 1127.

        Note: This option is used only to upgrade to Major releases R75.40VS / R76 GA / R77.X (refer to the upgrade map) using the Legacy CLI upgrade package.

        1. Download the Legacy CLI upgrade Gaia OS package of the supported Major release (R75.40VS / R76 / R77 / R77.10 / R77.20 / R77.30).

        2. Connect to Gaia Portal.

        3. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):

        4. Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.

          In Gaia R77.20 and above: In Gaia R77.10 and lower:
        5. Click on the "Legacy Upgrade" button, upload the upgrade package to Gaia OS, and click on "Upgrade" button:

        6. Upload the Legacy CLI upgrade package.

        7. Click on Upgrade button.

        8. Machine is rebooted automatically.



  • Show / Hide information about Gaia Software Updates Agent versions from 802 to 840

    • Available options in Gaia Portal

      Refer to section "(4) How to work with CPUSE" - refer to instructions for Gaia Portal.

    • Available Clish commands

      1. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override

      2. Show the Gaia Software Updates Agent Policy, Status and Packages:

        Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - "Reviewing CPUSE ? clish".

        HostName:0> show installer
        mail-notifications - Show mail notifications for user
        package            - Show information about a specific package
        packages           - Show packages information
        policy             - Show policies configurations
        status             - Show status
        HostName:0>
        

        where full syntax is:

        • HostName:0> show installer mail-notifications {<Package_Number> | <email>}
        • HostName:0> show installer package <Package_Number>
        • HostName:0> show installer packages {all | available-for-download | downloaded | imported | installed | recommended}
        • HostName:0> show installer policy {all | downloads | periodically-self-update | self-test {all | auto-rollback | install-policy | network-link-up | start-processes} | send-cpuse-data}
        • HostName:0> show installer status {agent | all | build | connection | license | update-from-cloud}
      3. Set the Gaia Software Updates Agent Policy:

        Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - "Configuring a CPUSE Policy - clish", and "Configuring CPUSE Mail Notifications - clish".

        HostName:0> set installer
        mail-notifications - Set mail notifications policy
        policy             - Set policies
        HostName:0>
        

        where full syntax is:

        • HostName:0> set installer mail-notifications {<Package_Number> | <email>} {download-status | install-status | new-available-packages} {on | off}
        • HostName:0> set installer policy downloads {automatic | manual | scheduled {daily <Time> | monthly <Day> at <Time> | once <date> at <Time> | weekly <Day_of_the_Week> at <Time>}
        • HostName:0> set installer policy periodically-self-update {on | off}
        • HostName:0> set installer policy self-test {auto-rollback | install-policy | network-link-up | start-processes} {on | off}
        • HostName:0> set installer policy send-cpuse-data {on | off}
      4. Start/Stop the relevant action:

        Refer to R77 Versions Gaia Administration Guide - chapter "CPUSE" - "Downloading and Installing with CPUSE - clish".

        HostName:0> installer 
        agent                - Perform Deployment agent actions
        check-for-updates    - Check for new available packages in Check Point cloud
        delete               - Delete package
        download             - Download package
        download-and-install - Download and install package
        import               - Import package
        install              - Install package
        uninstall            - Uninstall package
        upgrade              - Upgrade to a new major version
        verify               - Verify if package is compatible with this machine
        HostName:0>
        

        where full syntax is:

        • HostName:0> installer agent {start | stop | update [not-interactive]}
        • HostName:0> installer check-for-updates [not-interactive]
        • HostName:0> installer delete {<Package_Number> | <Package_Name>} [not-interactive]
        • HostName:0> installer download {<Package_Number> | <Package_Name>} [pause | resume | not-interactive]
        • HostName:0> installer download-and-install {<Package_Number> | <Package_Name>} [not-interactive]
        • HostName:0> installer import {cloud <CPUSE_Identifier> | ftp <IPv4_Address> path <Path> username <Username> [password <Password>] | local <Full_Path>} [not-interactive]
        • HostName:0> installer install {<Package_Number> | <Package_Name>} [not-interactive]
        • HostName:0> installer uninstall {<Package_Number> | <Package_Name>} [not-interactive]
        • HostName:0> installer upgrade {<Package_Number> | <Package_Name>} [not-interactive]
        • HostName:0> installer verify {<Package_Number> | <Package_Name>} [not-interactive]}

        Note: The progress (in per cent) of the download/install/uninstall actions is displayed in both Clish and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.


  • Show / Hide information about Gaia Software Updates Agent versions from 710 to 747

    • Available options in Gaia Portal

      Refer to section "(4) How to work with CPUSE" - refer to instructions for Gaia Portal.

    • Available Clish commands

      1. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override

      2. Set the Gaia Software Updates Agent Policy:
        HostName:0> set installer
        deployment-mail-notification - Set the installer mail notifications
        download_mode                - Set the installer download mode to automatic, manual or schedule
        install_mode                 - Set the installer install mode to automatic, manual or schedule
        HostName:0>
        

        Notes:

        • The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
        • The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
      3. Start/Stop the relevant action:

        HostName:0> installer 
        download       - Download a selected package
        install        - Install a selected package
        restore_policy - Restore the default update policy
        start          - Start the installer service
        stop           - Stop the installer service
        uninstall      - Uninstall a selected package
        upgrade        - Upgrade a selected package
        HostName:0>
        

        Note: The progress (in per cent) of the download/install/uninstall actions is displayed in both Clish and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.

      4. To see software updates in Clish:

        HostName:0> show installer 
        available_local_packages - Show available packages for install
        available_packages       - Show available packages for download
        installed_packages       - Show the installed packages on this machine
        package_status           - Show the packages status
        HostName:0>
        

        Notes:

        • "show installer available_packages" command reads the information about the packages that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:

          HostName:0> show installer available_packages 
          Num File Name                                             Type
          1   Check_Point_R77_10_R77_20_T124.tgz                    Wrapper
          2   Check_Point_R75.46_Fresh_Install.tgz                  Major Version
          3   Check_Point_R75_40VS_T157.tgz                         Major Version
          4   Check_Point_R77.10_Install_and_Upgrade.tgz            Major Version
          5   Check_Point_R76_T265.tgz                              Major Version
          HostName:0>
          
        • "show installer available_local_packages" command reads the information about the packages that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:

          HostName:0> show installer available_local_packages 
          Num File Name                                             Type
          1   Check_Point_Hotfix_R77_10_sk102673.tgz                Hotfix
          HostName:0>
          
        • "show installer installed_packages" command reads the information about the packages that were installed from the $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:

          HostName:0> show installer installed_packages
          Num File Name                                             Type
          1   Check_Point_SmartConsole_R75.47.tgz                   Wrapper
          2   Check_Point_Hotfix_R75.47_sk101186.tgz                Hotfix
          HostName:0>
          
        • "show installer package_status" command reads the information about the status of packages from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:

          HostName:0> show installer package_status
          Num File Name                              Status                       Progress
          1   Check_Point_SmartConsole_R75.47.tgz    Installed
          2   Check_Point_R75.46_Fresh_Install.tg... Available for Download
          3   Check_Point_R76_T265.tgz               Available for Download
          4   Check_Point_R77.20_T124_Install_and... Partially Downloaded         (5%)
          5   Check_Point_R77.10_Install_and_Upgr... Available for Download
          6   Check_Point_Hotfix_R75_47_sk102673.... Available for Install
          7   Check_Point_R77.tgz                    Available for Download
          8   Check_Point_R75_40VS_T157.tgz          Available for Download
          9   Check_Point_Hotfix_R75.47_sk101186.... Installed
          10  Check_Point_Hotfix_R75.47_sk100195.... Unknown
          11  Check_Point_Hotfix_R75.47_sk100431.... Unknown
          12  Check_Point_R75.47_OSPF_Hotfix_sk94... Available for Download
          HostName:0>
          
        • Information about the packages that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
      5. To download a software update in Clish:

        Example:

        HostName:0> installer download 
        Num File Name                                             Type
        1   Check_Point_R75.46_Fresh_Install.tgz                  Major Version
        2   Check_Point_R76_T265.tgz                              Major Version
        3   Check_Point_R77.20_T124_Install_and_Upgrade.tgz       Major Version
        4   Check_Point_R77.10_Install_and_Upgrade_R75.4X.tgz     Major Version
        5   Check_Point_R77.tgz                                   Major Version
        6   Check_Point_R75_40VS_T157.tgz                         Major Version
        7   Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz            Hotfix
        HostName:0>
        HostName:0> installer download 7
        Initiating download of Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz...
        HostName:0> 
        HostName:0> show installer package_status
        .............
        12  Check_Point_R75.47_OSPF_Hotfix_sk94... Downloading                  (6%)
        ............. 
        HostName:0>
        
      6. To install a software update in Clish:

        Important Note: Requirements for free disk space exist.

        Example:

        HostName:0> installer install 
        Num File Name                                             Type
        1   Check_Point_Hotfix_R75_47_sk102673.tgz                Hotfix
        2   Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz            Hotfix
        HostName:0>
        HostName:0> installer install 2
        Initiating install of package 1: Check_Point_R77_hotfix_sk95245.tgz
        HostName:0> 
        HostName:0> show installer package_status
        .............
        Initiating install of Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz...
        ............. 
        HostName:0>
        HostName:0> show installer package_status
        .............
        12  Check_Point_R75.47_OSPF_Hotfix_sk94... Installing                   (30%)
        ............. 
        HostName:0>
        
      7. To upgrade a software update in Clish:

        Important Note: Requirements for free disk space exist.

        Example:

        HostName:0> installer upgrade 
        Num File Name                                             Type
        1   Check_Point_R75.46_Fresh_Install.tgz                  Major Version
        HostName:0>
        HostName:0> installer upgrade 1
        Initiating upgrade of package 1: Check_Point_R75.46_Fresh_Install.tgz
        HostName:0>
        


  • Show / Hide information about Gaia Software Updates Agent versions from 502 to 615

    • Available options in Gaia Portal

      Tab Options
      Updates
      • On this tab, user will see the available / manually uploaded hotfix packages.

      • When a software update is "Available for Download", click on "Download" button.

      • When a software update is "Available for Install", user can verify whether there are any warnings about this update and whether this update can be installed without conflicts.
        Click on "Actions" button and then click on "Verifier" button (formerly known as "Check Install") - a pop-up will appear with "Verifier results".
        If there are no warnings/conflicts, then click on "Install Update" button.

      • After a software update is installed, user can see the installation log by clicking on the 'scroll' icon in the "Logs" column.
        A new window will open. Information can be selected and copied from this window.

      • If a software update was installed and has to be uninstalled, click on "Uninstall" button.

      • A software update that was already downloaded / installed, can be exported from this Gaia machine for backup purposes,
        or to transfer it to another Gaia machine (for example, if another Gaia machine is disconnected from the Internet):

        1. Select the update.
        2. Click on "Actions" button - click on "Export" button.
        3. The update will be saved as TAR file on your computer.
      • A software update can be manually imported to this Gaia machine (for example, if this machine is disconnected from the Internet).

        Important Note: Requirements for free disk space exist.

        This feature (importing a package) supports only the following types of packages:

        1. Packages that were specifically created to be installed using Gaia Software Updates.

          1. Contact Check Point Support to get the required Gaia Software Updates package for Offline installation.
          2. Connect to the Gaia Portal on your machine.
          3. Obtain the lock over the configuration database (click on the lock icon at the top - near "Sign Out").
          4. Navigate to "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" pane.
          5. Click on "Actions" button - click on "Import" button.
          6. Browse for the TGZ file that was provided by Check Point Support - click on "Upload".
          7. Install the uploaded package either in Gaia Portal, or in Clish - see the relevant instructions above.
        2. Packages that were exported from another Gaia machine using Gaia Software Updates.

          1. Export the relevant update package (that was already downloaded / installed) from a source Gaia machine (that is connected to the Internet) to your computer.
          2. If needed, transfer this file to an external storage device.
          3. Open the Gaia Portal of the target Gaia machine (on which this update package should be imported).
          4. Go to "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates"section - "Status and Actions" page.
          5. Click on "Actions" button - click on "Import" button.
          6. Browse for the TAR file that was exported from a source Gaia machine - click on "Upload".

        Note: If the following error is displayed, then incorrect package was uploaded (contact Check Point Support for assistance):

        Cannot import package.
        It is not a valid exported "Gaia Software Updates" package.

      • Customized packages / images that were created by Check Point for specific customer are added in the following way:

        1. Click on "Actions" button - click on "Add Private Hotfix" button.
        2. In the "Add Private Package" window, paste the special link to the customized package / image (sent to you by Check Point) - click on "Add" button.
        3. Monitor the progress in the "Important Messages" section at the bottom (scroll down).
        4. The customized package / image will appear in the list of available packages with status "Available for Download".
        5. Proceed as with regular hotfix package / image.
      • User can monitor the general progress in the "Important Messages" section at the bottom (scroll down).
        For complete log, click on "History" button. Information can be selected and copied from these windows.

        Note:
        • In the "Important Messages" section, the messages appear from bottom-to-top (most recent log is at the top).
        • In the "Important Messages Log" ('History') window, the messages appear from top-to-bottom (most recent log is at the bottom).
      Full Images
      • On this tab, user will see the available / manually uploaded upgrade packages and fresh install images.

      • When an image is "Available for Download", click on "Download" button.

      • When an image is "Available for Install", user can verify whether there are any warnings about this image and whether this image can be installed without conflicts.
        Click on "Actions" button and then click on "Verifier" button (formerly known as "Check Install") - a pop-up will appear with "Verifier results".
        If there are no warnings/conflicts, then click on "Install Update" button.



      • If an image is already installed, you can click on "Reinstall" button.

      • If an upgrade image was installed and has to be uninstalled, click on "Uninstall" button.
        Important Note: There is no uninstall option for fresh install images.

      • An image that was already downloaded / installed, can be exported from this Gaia machine for backup purposes,
        or to transfer it to another Gaia machine (for example, if that machine is disconnected from the Internet):

        1. Select the update.
        2. Click on "Actions" button - click on "Export" button.
        3. The update will be saved as TAR file on your computer.
        4. You can store this TAR file for backup purposes, or transfer it to another Gaia machine.
      • An image can be manually imported to this Gaia machine (for example, if this machine is disconnected from the Internet).

        Important Note: Requirements for free disk space exist.

        This feature (importing an image) supports only images that were exported from another Gaia machine using Gaia Software Updates:

        1. Export the relevant image from a source Gaia machine to your computer.
        2. If needed, transfer this file to an external storage device.
        3. Open the Gaia Portal of the target Gaia machine (on which this image should be imported).
        4. Go to "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" page.
        5. Click on "Actions" button - click on "Import" button.
        6. Browse for the TAR file that was exported from a source Gaia machine - click on "Upload".
          Note:
          Gaia Portal will only accept a TAR file that was exported from another Gaia machine (it contains the image TGZ file and special metadata TGZ file).
          Otherwise, the following error will be displayed:
          Cannot import package.
          It is not a valid exported "Gaia Software Updates" package.
      • User can monitor the general progress in the "Important Messages" section at the bottom (scroll down).

        For complete log, click on "History" button. Information can be selected and copied from these windows.
        Note:
        • In the "Important Messages" section, the messages appear from bottom-to-top (most recent log is at the top).
        • In the "Important Messages Log" ('History') window, the messages appear from top-to-bottom (most recent log is at the bottom).
    • Available Clish commands

      1. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override

      2. Set the Gaia Software Updates Agent Policy:
        HostName:0> set installer
        deployment-mail-notification - Set the installer mail notifications
        download_mode                - Set the installer download mode to automatic, manual or schedule
        install_mode                 - Set the installer install mode to automatic, manual or schedule
        HostName:0>
        

        Notes:

        • The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
        • The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
        • For more information about "deployment-mail-notification", refer to "Configuring e-mail notifications in Clish" section.
      3. Start/Stop the relevant action:

        HostName:0> installer 
        download       - Download a selected package
        install        - Install a selected package
        restore_policy - Restore the default update policy
        start          - Start the installer service
        stop           - Stop the installer service
        uninstall      - Uninstall a selected package
        upgrade        - Upgrade a selected package
        HostName:0>
        

        Note: The progress (in per cent) of the download/install/uninstall actions is displayed in both Clish and in "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" page.

      4. To see software updates in Clish:
        HostName:0> show installer 
        available_local_packages - Show available packages for install
        available_packages       - Show available packages for download
        installed_packages       - Show the installed packages on this machine
        package_status           - Show the packages status
        HostName:0>
        

        Notes:

        • "show installer available_packages" command reads the information about the packages that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:
          HostName:0> show installer available_packages
          List of available packages for download:
          [1]. R75.46 - Check_Point_R75.46_Fresh_Install.tgz (1.48 GB) - <b>R75.46 is a maintenance release for R75.40 and R75.45 with important Check Point product updates.<br>For more about this release, see the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90960" target="_blank">R75.46 home page</a>.</b>
          [2]. R77_SC - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB) - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz
          HostName:0>
        • "show installer available_local_packages" command reads the information about the packages that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:
          HostName:0> show installer available_local_packages
          List of available packages for install:
          [1]. HOTFIX_GULLI_UDP_FIX - Check_Point_R77_UDP_Hotfix_sk95056.tgz (206.90 KB) - Check_Point_R77_UDP_Hotfix_sk95056.tgz
          [2]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.
          For more about this release - <a& href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b>
          [3]. HOTFIX_GULLI_HF1 - Check_Point_R77_hotfix_sk95245.tgz (2.99 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
          [4]. BUNDLE_DUMMY - Check_Point_Hotfix_Bundle.tgz (206.90 KB) - Check_Point_Hotfix_Bundle.tgz
          [5]. HOTFIX_GULLI_HF2 - Check_Point_hotfix_R77_sk96269.tgz (2.97 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
          HostName:0>
        • "show installer installed_packages" command reads the information about the packages that were installed from the $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:
          HostName:0> show installer installed_packages
          List of installed packages:
          [1]   Check_Point_R77_Hotfix_sk96124.tgz      -   FW1                  - HOTFIX_GULLI_HF2_CPAS
          [2]   flow_cmp_HOTFIX_GULLI_FLOW_CMP_003_GA.tgz-   R7520CMP             - HOTFIX_GULLI_FLOW_CMP_003
          [3]   fiber_cmp_HOTFIX_GULLI_FIBER_CMP_004_GA.tgz-   R7540CMP             - HOTFIX_GULLI_FIBER_CMP_004
          [4]   giza_cmp_HOTFIX_GULLI_GIZA_CMP_005_GA.tgz-   R7540VSCMP           - HOTFIX_GULLI_GIZA_CMP_005
          [5]   fox_cmp_HOTFIX_GULLI_FOX_CMP_007_GA.tgz -   R75CMP               - HOTFIX_GULLI_FOX_CMP_007
          [6]   enf_cmp_HOTFIX_GULLI_ENF_CMP_032_GA.tgz -   NGXCMP               - HOTFIX_GULLI_ENF_CMP_032
          [7]   fl_cmp_HOTFIX_GULLI_FL_CMP_006_GA.tgz   -   FLICMP               - HOTFIX_GULLI_FL_CMP_006
          [8]   Check_Point_R77_UDP_Hotfix_sk95056.tgz  -   CPUpdates            - HOTFIX_GULLI_UDP_FIX
          HostName:0>
          
        • "show installer package_status" command reads the information about the status of packages from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:
          HostName:0> show installer package_status
          Check_Point_Hotfix_Bundle.tgz                 - Downloading               - Progress: 0%
          Check_Point_R75.46_Fresh_Install.tgz          - Available for download
          Check_Point_R77.tgz                           - Installed
          Check_Point_R77_Hotfix_sk96124.tgz            - Installed
          Check_Point_R77_UDP_Hotfix_sk95056.tgz        - Installed
          Check_Point_R77_hotfix_sk95245.tgz            - Pre-install validation failed (CRs validation error).
          Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz - Downloading (2.95 MB/s)   - Progress: 6%
          Check_Point_hotfix_R77_sk96269.tgz            - Installing                - Progress: 0%
          HostName:0>
          
        • Information about the packages that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
      5. To download a software update in Clish:

        Example:
        HostName:0> installer download
        List of available packages for download:
        [1]. R75.46 - Check_Point_R75.46_Fresh_Install.tgz (1.48 GB) - <b>R75.46 is a maintenance release for R75.40 and R75.45 with important Check Point product updates.<br>For more about this release, see the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90960" target="_blank">R75.46 home page</a>.</b>
        [2]. R77_SC - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB) - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz
        HostName:0>
        HostName:0> installer download 2
        Initiating download of package 2: Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB)
        HostName:0>
        HostName:0> show installer package_status
        .............
        Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz - Downloading (2.95 MB/s) - Progress: 6%
        .............
        HostName:0>
      6. To install a software update in Clish:

        Important Note: Requirements for disk space exist - refer to "System requirements and limitations" section.

        Example:
        HostName:0> installer install
        List of available packages for install:
        [1]. HOTFIX_GULLI_HF1 - Check_Point_R77_hotfix_sk95245.tgz (2.99 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
        [2]. BUNDLE_R77_10 - Check_Point_R77.10_EA_T72_4SEs.tgz (202.19 MB) - Check_Point_R77.10_EA_T72_4SEs.tgz
        [3]. HOTFIX_GULLI_HF2 - Check_Point_hotfix_R77_sk96269.tgz (2.97 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
        [4]. HOTFIX_GULLI_UDP_FIX - Check_Point_R77_UDP_Hotfix_sk95056.tgz (206.90 KB) - Check_Point_R77_UDP_Hotfix_sk95056.tgz
        [5]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.<br> For more about this release - <a href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b>
        HostName:0>
        HostName:0> installer install 1
        Initiating install of package 1: Check_Point_R77_hotfix_sk95245.tgz
        HostName:0>
        HostName:0> show installer package_status
        .............
        Check_Point_R77_hotfix_sk95245.tgz - Installing - Progress: 3%
        .............
        HostName:0>
      7. To upgrade a software update in Clish:

        Important Note: Requirements for disk space exist - refer to "System requirements and limitations" section.

        Example:
        HostName:0> installer upgrade
        List of available packages for upgrade:
        [1]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.<br> For more about this release - <a href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b>
        HostName:0>
        HostName:0> installer upgrade 1
        Initiating upgrade of package 1: Check_Point_R77.tgz
        HostName:0>


  • Show / Hide information about Gaia Software Updates Agent versions lower than 502

    • Available options in Gaia Portal

      • When a software update is "Available for Download", click on "Download" button.

      • When a software update is "Available for Install", click on "Check Install" button to check whether this software update can be installed without conflict. If there are no warnings/conflicts, then click on "Install" button.

      • If a software update was installed and has to be uninstalled, click on "Uninstall" button.

    • Available Clish commands

      1. Acquire the lock over Gaia configuration database:

        HostName:0> lock database override

      2. Set the Gaia Software Updates Agent Policy:
        HostName:0> set installer
        deployment-mail-notification - Set the installer mail notifications
        download_mode                - Set the installer download mode to automatic, manual or schedule
        install_mode                 - Set the installer install mode to automatic, manual or schedule
        HostName:0>
        

        Notes:

        • The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
        • The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
      3. Start/Stop the relevant action:

        HostName:0> installer 
        download       - Download a selected package
        install        - Install a selected package
        restore_policy - Restore the default update policy
        start          - Start the installer service
        stop           - Stop the installer service
        uninstall      - Uninstall a selected package
        HostName:0>
        

        Note: The progress (in per cent) of the download/install/uninstall actions is displayed only in "Gaia Portal" - "Software Updates" - "Status and Actions".

      4. To see software updates in Clish:
        HostName:0> show installer 
        available_local_packages - Show available packages for install
        available_packages       - Show available packages for download
        installed_packages       - Show the installed packages on this machine
        package_status           - Show the packages status
        HostName:0>
        

        Notes:

        • "show installer available_packages" command reads the information about the files that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:
          HostName:0> show installer available_packages 
          List of available packages for download:
          [1].    R75.40  - R75.40_2.tgz (804.64 MB)      - R75.40
          [2].    R77  - R77.tgz (1.10 GB)  - R77 Take 34
          [3].    R76_GA  - R76_GA.tgz (1.06 GB)  - R76
          HostName:0>
          
        • "show installer available_local_packages" command reads the information about the files that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:
          HostName:0> show installer available_local_packages
          List of available packages for install:
          [1]. software update_GIZMO_PING_DUMMY_002 - Check_Point_GIZMO_DUMMY_002_Bundle.tgz (31.38 KB) - Check_Point_GIZMO_DUMMY_002_Bundle.tgz
          HostName:0>
        • "show installer package_status" command reads the information about the status of software updates from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).

          Example:
          HostName:0> show installer package_status
          Check_Point_GIZMO_DUMMY_002_Bundle.tgz  - Available for install
          R77.tgz         - Available for download
          R75.40_2.tgz    - Available for download
          R76_GA.tgz      - Available for download
          HostName:0>
          
        • Information about the files that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
      5. To download a software update in Clish:

        Example:
        HostName:0> installer download 
        List of available packages for download:
        [1].    R75.40  - R75.40_2.tgz (804.64 MB)      - R75.40
        [2].    R77  - R77.tgz (1.10 GB)  - R77 Take 34
        [3].    R76_GA  - R76_GA.tgz (1.06 GB)  - R76
        HostName:0>
        HostName:0> installer download 2
        Initiating download of package 2: R77.tgz (1.10 GB)
        HostName:0> 
        
        HostName:0> show installer package_status 
        Check_Point_GIZMO_DUMMY_002_Bundle.tgz  - Available for install
        R77.tgz         - Downloading
        R75.40_2.tgz    - Available for download
        R76_GA.tgz      - Available for download
        HostName:0>
        

 

 

(9) Revision history

Show / Hide this section

Date Description
10 Oct 2017
  • Corrected the import instructions in Gaia Portal - correct the name of the button from "Upload" to "Import".
08 Oct 2017
  • Renamed the "Latest build of CPUSE and What's New" section to the "Download the latest build of CPUSE Agent and What's New".
24 Sep 2017
  • "Latest build of CPUSE and What's New" section - "(3-D) History of older CPUSE Agent builds" subsection -
    updated the text to show that build 1130 is integrated into R80 GA version.
27 Aug 2017
  • "Latest build of CPUSE and What's New" section - added new build 1298.
23 Aug 2017
  • "Troubleshooting and Related solutions" section - added sk104479.
17 Aug 2017
  • "Troubleshooting and Related solutions" section - added sk119993.
16 Aug 2017
  • "Troubleshooting and Related solutions" section - added sk119954.
24 July 2017
  • "Latest build of CPUSE and What's New" section - added a note that restarting the ConfD daemon should be performed during a maintenance window.
06 July 2017
  • "System requirements and limitations" section - updated a note that on VSX R80.10, any package can be installed using CPUSE.
27 June 2017
  • "Latest build of CPUSE and What's New" section - added new build 1294.
21 June 2017
  • Updated the instructions for importing a package in Gaia Portal (by clicking on the Import Package button on the main page).
  • Added link to R80.10 Gaia Administration Guide.
16 June 2017
  • "Latest build of CPUSE and What's New" section - added new build 1293.
18 May 2017
  • Added R80.10 version to the article.
25 Apr 2017
  • "Latest build of CPUSE and What's New" section - added new build 1283.
04 Apr 2017
  • "Latest build of CPUSE and What's New" section - added new build 1278.
28 Mar 2017
  • Updated the title of this article from "CPUSE - Gaia Software Updates (including Gaia Software Updates Agent)" to "Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent".
  • "Latest build of CPUSE and What's New" section - added the build 1272 back.
20 Mar 2017
  • "Latest build of CPUSE and What's New" section - temporarily reverted from build 1272 to the previous build 1130.
15 Mar 2017
  • Added relevant screenshots for "Verifier" results.
13 Mar 2017
  • "Latest build of CPUSE and What's New" section - added new build 1272.
11 Feb 2017
  • "Troubleshooting and Related solutions" section - added sk114592.
05 Feb 2017
  • "Troubleshooting and Related solutions" section - added sk115719.
15 Jan 2017
  • "Troubleshooting and Related solutions" section - added sk115515.
31 Dec 2016
  • "(4-A) "How to ..." section - improved import instructions for Offline procedure in Gaia Portal.
  • "Troubleshooting and Related solutions" section - added sk111158, sk115243.
19 Nov 2016
  • "(4-A) "How to ..." section - improved notes about VSX mode.
  • "(4-B) "How to ..." section - improved notes about VSX mode.
  • "(4-B) "How to ..." section - "(4-B-b)" subsection - added a list of files that are copied by CPUSE during an upgrade to a Major Version.
14 Nov 2016
  • "(4-C) "How to ..." section - improved notes.
03 Nov 2016
  • "System requirements and limitations" section - added clarifications about the required license and contract.
02 Oct 2016
  • "Latest build of CPUSE and What's New" section - added new build 1130.
21 Sep 2016
21 Aug 2016
  • "Latest build of CPUSE and What's New" section - added new build 1127.
23 June 2016
  • "(4-D) "How to ..." section - improved the description of "installer agent start" command.
21 June 2016
  • "(4-D) "How to ..." section - improved the description of "installer agent <disable|enable>" and "installer agent <stop|start>" commands.
16 June 2016
  • "Latest build of CPUSE and What's New" section - added new build 1005.
17 Apr 2016
  • "System requirements and limitations" section - added a note that on VSX Gateways, CPUSE also supports installation of R77.30 Jumbo Hotfix Accumulator.
14 Apr 2016
  • "Latest build of CPUSE and What's New" section - added new build 994.
10 Apr 2016
  • "Troubleshooting and Related solutions" section - added sk105746.
  • "System requirements and limitations" section - added relevant Domain objects.
09 Apr 2016
  • "Latest build of CPUSE and What's New" section - added a note about manual installation of CPUSE Agent RPM.
31 Mar 2016
  • Improved text readability.
30 Mar 2016
  • "Troubleshooting and Related solutions" section - added sk109359.
27 Mar 2016
  • Article was redesigned and updated.
03 Jan 2015
  • Minor text improvements.
03 Jan 2015
  • "System requirements and limitations" section - updated the information.
20 Nov 2015
  • Add explanation for "DAClient" commands.
20 Sep 2015
  • "System requirements and limitations" section - updated the information.
29 July 2015
  • Corrected Clish syntax for starting and stopping the Gaia Software Updates Agent daemon.
26 July 2015
  • Added Clish syntax for Build 802 and above.
22 July 2015
  • Improvements in HTML design.
  • Added sk106696 to "Related solutions" section.
11 Mar 2015
  • "System requirements and limitations" section - added instructions for allowing CPUSE to work with Check Point cloud.
29 Jan 2015
  • "System requirements and limitations" section - updated the information that option "Automatically download Contracts and other important data (Recommended)" should be enabled in SmartDashboard.
01 Dec 2014
  • Added description for Gaia Software Updates Agent version 627 (just to show where the "DAClient" command was introduced).
22 Oct 2014
  • "System requirements and limitations" section - updated the information that requirements for disk space exist when importing a package / upgrading to a higher Major Version / performing a clean install using CPUSE.
05 Oct 2014
  • Added description for Gaia Software Updates Agent version from 710 to 747.
11 Sep 2014
  • "Overview" - "Description" section - added a note that CPuse mechanism supports deployment of Major Versions (starting from build 502).
19 Aug 2014
  • "Software Updates Notifications" section - updated the information.
  • Updated the notes for "set installer" commands.
24 July 2014
  • Added a note about the "ping" syntax in $DADIR/bin/connection_test.sh script if Gaia machine is disconnected from the Internet.
15 June 2014
  • "Related solutions" section - added this new section.
12 May 2014
  • Updated the information about the "Import" operation in Gaia Portal.
17 Mar 2014
  • Improvements in HTML design.
26 Jan 2014
  • Added notes about importing an image / package.
  • Modified manual installation instructions.
12 Dec 2013
  • Added description for Gaia Software Updates Agent versions from 502 to 615.
03 Mar 2013
  • First release of this document.
Applies To:
  • 01400050
  • This SK replaces sk98228, sk98926

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment