Check Point Update Service Engine (CPUSE), also known as Deployment Agent [DA], is an advanced and intuitive mechanism for software deployment on Gaia OS, which supports deployments of single HotFixes (HF), of HotFix Accumulators (Jumbo), and of Major Versions.
Gaia Software Updates offers a Smart, Fast and Safe deployment solution:
Smart
Discover only the applicable software updates
Reboot only if required
Auto authentication with Download Center
View hierarchy of software updates
E-mail notification for new updates
Fast
Fast download
Fast installation
Short down time
Safe
Upgrade to next Major Version is performed on a new disk partition and preserves Gaia OS configuration
Valid license has to be installed on the target machine.
Valid Software Subscription or Technical Support Contract has to be associated with the license.
The Contract File must be installed on the target machine.
Notes:
There is a 30 days grace period upon first installation/activation of the Deployment Agent, during which no license is needed at all.
Evaluation License is not enough to enable Gaia Software Updates.
A real valid support license is required.
Access to Check Point Download Server is available via subscription only.
An Evaluation License is not sufficient to grant download access from the User Center.
B
Connection to the Internet
Gaia machine should be connected to the Internet:
To perform online self-update of Deployment Agent
To obtain Software Updates from Check Point Cloud
Note: The option "Automatically download Contracts and other important data (Recommended)" should be enabled as described in sk94508 (SmartConsole - "Policy" menu - "Global Properties" - "Security Management Access").
Manual offline installation of CPUSE packages is available if Gaia machine is disconnected from the Internet.
C
CPUSE communication with Check Point cloud
To allow CPUSE to communicate with Check Point cloud, follow the steps below in SmartDashboard.
An explicit firewall rule has to be created in the these scenarios:
#
Scenario description
Which explicit firewall rule to create
Traffic Source
Traffic Destination
Traffic proto / ports
Where to install / apply the explicit rule
1
Check Point Security Gateway running on Gaia OS, which must connect to Check Point cloud.
Implied rule "Accept outgoing packets originating from Gateway" is disabled in Policy menu - Global Properties... - FireWall pane.
Create an explicit firewall rule for this Check Point Security Gateway (see procedure below) to allow the communication between CPUSE on this Check Point Security Gateway and Check Point cloud.
Check Point Security Gateway
Check Point domains
Required HTTP / HTTPS / DNS traffic
Check Point Security Gateway
2
Perimeter Check Point Security Gateway that protects internal Check Point machine running on Gaia OS, which must connect to Check Point cloud.
Create an explicit firewall rule for the Perimeter Check Point Security Gateway (see procedure below) to allow the communication between CPUSE on internal Check Point machine and Check Point cloud.
Internal Check Point machine
Check Point domains
Required HTTP / HTTPS / DNS traffic
Perimeter Check Point Security Gateway
3
Perimeter non-Check Point FireWall that protects Check Point machine running on Gaia OS, which must connect to Check Point cloud.
Create an explicit firewall rule (for reference, see procedure below) for this non-Check Point FireWall to allow the communication between CPUSE on internal Check Point machine and Check Point cloud.
Internal Check Point machine
Check Point domains
Required HTTP / HTTPS / DNS traffic
Perimeter non-Check Point FireWall
Procedure for Check Point Security Gateway:
Note: For non-Check Point FireWall, the equivalent rule must be created. Related solution: sk83520.
Create the these Domain objects for Check Point domains and for Akamai domain (note the dot in the beginning:
.updates.checkpoint.com
.updates.g01.checkpoint.com
.gwevents.checkpoint.com
.gwevents.us.checkpoint.com
.deploy.static.akamaitechnologies.com
Instructions:
Go to the "Manage" menu - click "Network Objects..."
Click the "New..." button - select "Domain..."
In the "Name" field, paste the name of the domain listed above (note the dot in the beginning) and click "OK".
Repeat Steps i-iii for all domains listed above.
Click the "Close" button.
Create this Firewall security rule for the involved Security Gateway (use predefined services):
Important Note: Rules with Domain Objects should be located as low as possible in the rulebase.
For Scenario #1 - Check Point Security Gateway running on Gaia OS (and implied rule "Accept outgoing packets originating from Gateway" is disabled)
SOURCE
DESTINATION
SERVICE
ACTION
INSTALL ON
Check Point Security Gateway
.updates.checkpoint.com
.updates.g01.checkpoint.com
.gwevents.checkpoint.com
.gwevents.us.checkpoint.com
.deploy.static.akamaitechnologies.com
http
https
HTTP_and_HTTPS_proxy
domain-udp
Accept
Check Point Security Gateway
For Scenario #2 - Perimeter Check Point Security Gateway that protects internal Check Point machine
SOURCE
DESTINATION
SERVICE
ACTION
INSTALL ON
Internal Check Point machine
.updates.checkpoint.com
.updates.g01.checkpoint.com
.gwevents.checkpoint.com
.gwevents.us.checkpoint.com
.deploy.static.akamaitechnologies.com
http
https
HTTP_and_HTTPS_proxy
domain-udp
Accept
Perimeter Check Point Security Gateway
Install the policy onto involved Security Gateway.
D
Deployment Agent update to the latest version
On an online Gaia machine (that is connected to the Internet):
Deployment Agent must always be updated to the latest available version before being able to perform any action.
We recommend to leave the default Deployment Agent policy configuration "Periodically update new Deployment Agent version (recommended)".
On an offline Gaia machine (that is disconnected from the Internet), it is strongly recommended to always update the Deployment Agent to the latest available build.
E
Upgrade
Upgrade to a higher Major Version (e.g., from R80.40 to R81.X) using CPUSE will not be available on these machines/appliances:
Open Servers that were upgraded from SecurePlatform OS to Gaia OS
IP Appliances that were upgraded from IPSO OS to Gaia OS
UTM-1 130 and UTM-1 270 appliances (regardless of previous OS)
Major Upgrade using CPUSE on IP Appliances running Gaia OS is supported only in Gaia Clish.
F
Free disk space
To import a CPUSE package, the /var/log/ partition on Gaia OS must have enough free disk space - at least twice the size of the package you want to import.
To see the amount of available disk space in /var/log/ partition, run this command in the Expert mode:
[Expert@Gaia:0]# df -h | grep -E "Avail|/var/log"
Filesystem Size Used Avail Use% Mounted on
11G 286M 9.9G 3% /var/log
[Expert@Gaia]#
To upgrade to a higher Major Version, or to perform Clean Installation using CPUSE, machine must have enough unallocated (unpartitioned) disk space - at least as the size of the root partition.
Run these commands in the Expert mode:
Examine the size of the "root" partition:
[Expert@HostName:0]# df -h | grep -E "Avail|\/$"
Example:
[Expert@Gaia:0]# df -h | grep -E "Avail|\/$"
Filesystem Size Used Avail Use% Mounted on
17G 9.1G 6.6G 59% /
[Expert@Gaia]#
Examine the amount of unallocated (unpartitioned) disk space:
(4-A) How to work with CPUSE - How to download and import a CPUSE package
Show this sub-section
Important Note: After the desired CPUSE package is downloaded / imported, proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
The online procedure in Gaia Portal can be used in these cases:
Gaia machine is connected to the Internet (meaning, full access to Check Point Cloud - refer to section "System requirements and limitations" - requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
CPUSE package is available on the Check Point Cloud.
Connect to Gaia Portal and obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
Navigate to the Upgrades (CPUSE) section - click the Status and Actions page.
All packages appear in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see:
Verify the package - see whether this package can be installed without conflicts:
Either select the package - click the More button on the toolbar - click Verifier:
Or right-click package - click Verifier:
Result of this test should be one of these:
Installation is allowed
Upgrade is allowed
Examples:
For a Hotfix package:
For a Major Version:
Download the package in the applicable category:
Note: The download progress (in per cent) appears in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of the Gaia Clish command "show installer package <Package_Number>".
Category
Instructions
Hotfixes
Option 1 - only download the package:
Select the package.
Download the package:
Either select the package - click the More button on the toolbar, and click Download:
Or right-click the package and click Download:
You can pause the download at any time:
Either select the package and click Pause button on the toolbar:
Or right-click the package and click Pause:
The status of the package will change to "Pausing Download" and then to "Partially Downloaded":
You can resume the download at any time:
Either select the package and click Resume button on the toolbar:
Or right-click the package and click Resume:
The status of the package will change to "Resuming Download" and then to "Downloading":
Option 2 - download and install the package in one step:
Either select the package and click Install Update button on the toolbar:
Or right-click the package and click Install Update:
Major Versions
Select the package.
Download the package:
Either select the package - click the Download button on the toolbar:
Or right-click the package and click Download:
You can pause the download at any time:
Either select the package and click the Pause button on the toolbar:
Or right-click the package and click Pause:
The status of the package will change to "Pausing Download" and then to "Partially Downloaded":
You can resume the download at any time:
Either select the package and click Resume button on the toolbar:
Or right-click the package and click Resume:
The status of the package will change to "Resuming Download" and then to "Downloading":
Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page.
Notes:
Currently, only these keys are supported in this field: Left/Right arrow, Delete, Backspace.
Downloading the hotfix by its URL is not supported.
Packages that are not suitable for this machine, will not be available (e.g., if some Take of a Jumbo Hotfix Accumulator is installed, then Takes lower than the current Take will not be available).
Example:
CPUSE Identifier of a Jumbo Hotfix Accumulator is:
Check_Point_R81_JUMBO_HF_MAIN_Bundle_T36.tgz:
Click the magnifying glass icon to start the search.
Example:
When the package is found, it appears as a link along with its title and release date.
Example:
Click the package to add it to the list of available packages.
Example:
The package will be added with the status Available for Download, and the filter will automatically change to show all packages.
Verify the package - see whether this package can be installed without conflicts:
Either select the package - click the More button on the toolbar - click Verifier:
Or right-click the package - click Verifier:
Result of this test should be one of these:
Installation is allowed
Upgrade is allowed
Download the package - same as (5)
If you only downloaded the package (without installing it), then proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
The online procedure in Gaia Clish can be used in these cases:
Gaia machine is connected to the Internet (meaning, full access to Check Point Cloud - refer to section "System requirements and limitations" - requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
CPUSE package is available on the Check Point Cloud.
If this Gaia machine is running in VSX Mode, then refer to section "(2) System requirements and limitations" - subsection "G. VSX Gateways".
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Get the available packages (run the applicable command):
HostName:0> show installer packages recommended
HostName:0> show installer packages available-for-download
HostName:0> show installer package[press Space key][press Tab key]
HostName:0> show installer package <Package_Number>
Download the desired package from the Check Point Cloud:
Note: The download progress (in per cent) appears in the output of the Gaia Clish command "show installer package <Package_Number>", and in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page.
Note: Packages that are not suitable for this machine, will not be available.
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:
Example:
CPUSE Identifier of a Jumbo Hotfix Accumulator is:
Check_Point_R81_JUMBO_HF_1_Bundle_T23.tgz
Show the imported packages:
HostName:0> show installer packages imported
Verify the package - see whether this package can be installed without conflicts:
HostName:0> installer verify[press Space key][press Tab key]
HostName:0> installer verify <Package_Number>
Result of this test should be:
Result: Installation is allowed
Status: Available for Install
Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
The offline import procedure in Gaia Portal can be used in these cases:
Gaia machine is disconnected from the Internet (meaning, no access to Check Point Cloud).
CPUSE package is not available on the Check Point Cloud.
Although Gaia machine is connected to the Internet, administrator wishes to manually import a CPUSE package instead of downloading it from Check Point Cloud.
Gaia machine is not running in VSX Mode (in which case, Gaia Portal is not available).
Notes:
Starting from R81, the installed offline packages must be *.tar files.
Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to section "(4) How to work with CPUSE" - "(D) Additional information about Gaia Clish commands and Gaia Portal actions for CPUSE" - "Show / Hide how to export a CPUSE package in Gaia Portal".
Requirements for free disk space exist.
For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Import procedure for Offline CPUSE package / Exported CPUSE package:
Make sure you have the applicable CPUSE offline package (TGZ file) / exported package (TAR file).
Connect to Gaia Portal on the target Gaia OS.
Obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
Navigate to the Upgrades (CPUSE) section - click the Status and Actions page.
In the upper right corner, click the Import Package button:
In the Import Package window, click Browse... - select the CPUSE offline package (TGZ file) / exported package (TAR file) - click Import.
Cannot import package <Name_of_File>. It is not a valid CPUSE package.
Refer to the package's official documentation to get a list of compatible machines. For more information, contact Check Point Technical Services.
Example:
Popup at the bottom:
Event Log entry:
Click the filter button near the help icon (that currently says "Showing Recommended packages") and click "All" (the filter should change to "Showing All packages"):
Verify the imported package - see whether this package can be installed without conflicts:
Either select the imported package - click the More button on the toolbar - click Verifier:
Or right-click the imported package - click Verifier:
Result of this test should be one of these:
Installation is allowed
Upgrade is allowed
Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
The offline import procedure in Gaia Clish can be used in these cases:
Gaia machine is disconnected from the Internet (meaning, no access to Check Point Cloud).
CPUSE package is not available on the Check Point Cloud.
Although Gaia machine is connected to the Internet, administrator wishes to manually import a CPUSE package instead of downloading it from Check Point Cloud.
If this Gaia machine is running in VSX Mode, then refer to section "(2) System requirements and limitations" - subsection "H. VSX Gateways".
Notes:
Starting from R81, the installed offline packages must be *.tar files.
Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to section "(4) How to work with CPUSE" - "(D) Additional information about Gaia Clish commands and Gaia Portal actions for CPUSE" - "Show / Hide how to export a CPUSE package in Gaia Portal".
Requirements for free disk space exist.
For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Import procedure for Offline CPUSE package / Exported CPUSE package:
Make sure you have the applicable CPUSE offline package (TGZ file) / exported package (TAR file).
Transfer the CPUSE offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_package/).
Connect to command line on the target Gaia OS.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Import the package from the hard disk:
Note: When import completes, this package is deleted from the original location.
HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR>
Example:
HostName:0> installer import local /var/log/path_to_pkg/Check_Point_Hotfix_R81.tgz
Show the imported packages:
HostName:0> show installer packages imported
Verify the package - see whether this package can be installed without conflicts:
HostName:0> installer verify[press Space key][press Tab key]
HostName:0> installer verify <Package_Number>
Result of this test should be:
For a Hotfix package:
Result: Installation is allowed
Status: Available for Install
For a Minor / Major Version:
Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
Status: Available for Install
Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
(4-B) How to work with CPUSE - How to install a CPUSE package
All packages appear in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see:
Verify the package (if you have not done it yet) - see whether this package can be installed without conflicts:
Either select the package - click the More button on the toolbar - click Verifier:
Or right-click the package - click Verifier:
Result of this test should be:
Installation is allowed
Install the package:
Note: The installation progress (in per cent) appears in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of the Gaia Clish command "show installer package <Package_Number>".
Either select the package and click the Install Update button on the toolbar:
Or right-click the package and click Install Update:
Machine is rebooted automatically (only if required so by the installed hotfix).
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia OS.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Get the downloaded / available for install packages:
HostName:0> show installer packages
Example from R81.00:
HostName:0> show installer packages
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Display name Status
R81 Jumbo Hotfix Accumulator General Availability (Take 36) Available for Install
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Status
R81.10 Gaia Fresh Install and upgrade Available for Download
HostName:0>
Verify the package (if you have not done it yet) - see whether this package can be installed without conflicts:
HostName:0> installer verify[press Space key][press Tab key]
HostName:0> installer verify <Package_Number>
Result of this test should be:
Result: Installation is allowed
Status: Available for Install
Install the desired package:
Note: The installation progress (in per cent) appears in the output of the Gaia Clish command "show installer package <Package_Number>", and in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page.
HostName:0> installer install[press Space key][press Tab key]
HostName:0> installer install <Package_Number>
Example from R81.00:
HostName:0> installer install[press Space key][press Tab key]
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Num Display name Type
1 R81 Jumbo Hotfix Accumulator General Availability (Take 36) Hotfix
HostName:0> installer install 1
Initiating install of R81 Jumbo Hotfix Accumulator General Availability (Take 36)...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Package R81 Jumbo Hotfix Accumulator General Availability (Take 36) was installed successfully.
Status: Installing (100%)
Machine is rebooted automatically (only if required so by the installed hotfix).
Note: If machine was not rebooted by the installed package, it might be necessary to connect to command line and to manually run the cpstart / mdsstart command.
Important Note: Existing OS settings and the Check Point Database are preserved during this procedure.
Notes:
Requirements for free disk space and limitations in VSX mode exist.
Upgrade to a Major version is performed on a new hard disk partition, and the "old" partition is converted into Gaia Snapshot (the new partition space is taken from the un-partitioned space on the hard disk.
During an upgrade to a Major version, the CPUSE Agent copies these files from the current version to the target version:
The current $CPDIR/database/*authkeys.C files are copied to the target $CPDIR/database/ directory
The current $FWDIR/lib/user.def file is copied to the target $FWDIR/lib/ directory
The current $FWDIR/lib/user_early.def file is copied to the target $FWDIR/lib/ directory
The current $FWDIR/lib//defaultfilter.boot file is copied to the target $FWDIR/conf/defaultfilter.pf file
The current /etc/fw.boot/ha_boot.conf file is copied to the target /etc/fw.boot/ directory
The current /etc/fw.boot/modules/fwkern.conf file is copied to the target /etc/fw.boot/modules/ directory
The current /etc/ppk.boot/boot/modules/sim_aff.conf file is copied to the target /etc/ppk.boot/boot/modules/ directory
The date of the created snapshot indicates when the "old" partition was created and not when it was converted to snapshot. The date of the conversion to snapshot is indicated in the snapshot description.
All packages appear in categories and by default are filtered to view recommended packages only.
Verify the package (if you have not done it yet) - see whether this package can be upgraded:
Either select the package - click the More button on the toolbar - click Verifier:
Or right-click the package - click Verifier:
Result of this test should be one of these:
Installation is allowed
Upgrade is allowed
Install the package:
Note: The installation progress (in per cent) appears in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of the Gaia Clish command "show installer package <Package_Number>".
Either select the package and click the Upgrade button on the toolbar:
Example:
Or right-click the package and click Upgrade:
CPUSE shows this warning in Gaia Portal:
After this upgrade, there will be an automatic reboot.
(Existing OS settings and the Check Point Database are preserved.)
Machine is rebooted automatically.
If you connect to command line and log in, this notification from CPUSE appears above the prompt:
Upgrade is still running. Log in to the Status and Actions page to see the progress.
Connect to Gaia Portal and obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
CPUSE shows this pop-up in Gaia Portal:
"Upgrade is still running. Log in to the Status and Actions page to see the progress."
Example:
Navigate to the Upgrades (CPUSE) section - click the Status and Actions page.
Click the filter button near the help icon (that currently says "Showing Recommended packages") and click "All" (the filter should change to "Showing All packages"):
Manually install the policy:
If you upgraded a Security Management Server / Multi-Domain Security Management Server, then install the policy onto all managed Security Gateways / Clusters.
If you upgrade a Security Gateway / Cluster Members, then install the policy on this Security Gateway / Cluster.
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Get the downloaded / available for install packages:
HostName:0> show installer packages
Example from R81.00 being upgraded to R81.10 (clean install):
HostName:0> show installer packages
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Display name Status
R81 Jumbo Hotfix Accumulator General Availability (Take 36) Installed
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Status
R81.10 Gaia Fresh Install and upgrade Available for Install
HostName:0>
HostName:0> show installer packages downloaded
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Type
R81.10 Gaia Fresh Install and upgrade Major Version
HostName:0>
Verify the package (if you have not done it yet) - see whether this package can be installed without conflicts:
HostName:0> installer verify[press Space key][press Tab key]
HostName:0> installer verify <Package_Number>
Result of this test should be:
Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
Status: Available for Install
Start the upgrade to Major Version:
HostName:0> installer upgrade[press Space key][press Tab key]
HostName:0> installer upgrade <Package_Number>
Note: Once you see "Validating Install", press CTRL+C.
Example from R81.00 being upgraded to R81.10 (clean install):
HostName:0> installer upgrade[press Space key][press Tab key]
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
1 R81.10 Gaia Fresh Install and upgrade Major Version
HostName:0> installer upgrade 1
The machine will automatically reboot after installation (y/n) [n] y
Initiating upgrade of R81.10 Gaia Fresh Install and upgrade...
Note: After this upgrade, there will be an automatic reboot.
Existing OS settings and the Check Point Database are preserved.
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Validating Install: 5%
Get the Package Number of the package being installed:
HostName:0> show installer package[press Space key][press Tab key]
To see the installation progress:
Repeatedly run this command and refer to the "Status" line:
HostName:0> show installer package <Package_Number>
Example from R81.00 being upgraded to R81.10 (clean install):
HostName:0> show installer package 3
Display name: R81.10 Gaia Fresh Install and upgrade
Description: No Description
Size: 3.18 GB
Type: Major Version
Status: Installing (13%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2021
Imported on: N/A
Installed on: N/A
Installation log: /opt/CPInstLog//install_Major_R81_10.log
HostName:0>
... ... ...
HostName:0> show installer package 3
... ... ...
HostName:0> show installer package 3
Display name: R81.10 Gaia Fresh Install and upgrade
Description: No Description
Size: 3.18 GB
Type: Major Version
Status: Installing (100%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2021
Imported on: N/A
Installed on: Thu Mar 3 20:31:53 2021
Installation log: /opt/CPInstLog//install_Major_R81_10.log
HostName:0>
Machine is rebooted automatically.
If you connect to command line and log in, this notification from CPUSE appears above the prompt:
Upgrade is still running. Log in to the Status and Actions page to see the progress.
Connect to Gaia Portal and obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
CPUSE shows this pop-up in Gaia Portal:
"Upgrade is still running. Log in to the Status and Actions page to see the progress."
Example:
Navigate to the Upgrades (CPUSE) section - click the Status and Actions page.
Click the filter button near the help icon (that currently says "Showing Recommended packages") and click "All" (the filter should change to "Showing All packages"):
You will see the applicable progress (no need to refresh the page).
Manually install the policy:
If you upgraded a Security Management Server / Multi-Domain Security Management Server, then install the policy onto all managed Security Gateways / Clusters.
If you upgrade a Security Gateway / Cluster Members, then install the policy on this Security Gateway / Cluster.
All packages appear in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see
Verify the package (if you have not done it yet) - see whether this package can be installed without conflicts:
Either select the package - click the More button on the toolbar - click Verifier:
Or right-click the package - click Verifier:
Result of this test should be one of these:
Installation is allowed
Upgrade is allowed
Install the package:
Note: The installation progress (in per cent) appears in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of the Gaia Clish command "show installer package <Package_Number>".
Either select the package and click the Clean Install button on the toolbar.
Or right-click the package and click Clean Install:
Machine is rebooted automatically.
Connect to Gaia Portal and complete the First Time Configuration Wizard.
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Get the downloaded / available for install packages:
HostName:0> show installer packages
Verify the package (if you have not done it yet) - see whether this package can be installed without conflicts:
HostName:0> installer verify[press Space key][press Tab key]
HostName:0> installer verify <Package_Number>
Result of this test should be:
Result: Verifier results: Clean Install: Installation is allowed. Upgrade: Upgrade is allowed.
Status: Available for Install
Start the clean install of Major Version:
HostName:0> installer clean-install[press Space key][press Tab key]
Note: Once you see "Validating Install", press CTRL+C.
Example from R75.46 being upgraded to R77 (clean install):
HostName:0> installer install[press Space key][press Tab key]
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
1 R81.10 Gaia Fresh Install and upgrade Major Version
HostName:0> installer install 1
The machine will automatically reboot after installation (y/n) [n] y
Initiating install of R81.10 Gaia Fresh Install and upgrade...
Note: This installs a new machine.
Existing OS settings and the Check Point Database will be overwritten.There will be an automatic reboot.
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Validating Install: 5%
Get the Package Number of the package being installed:
HostName:0> show installer package[press Space key][press Tab key]
To see the installation progress:
Repeatedly run this command and refer to the "Status" line:
HostName:0> show installer package <Package_Number>
Example from R81.00 being upgraded to R81.10 (clean install):
HostName:0> show installer package 3
Display name: R81.10 Gaia Fresh Install and upgrade
Description: No Description
Size: 3.18 GB
Type: Major Version
Status: Installing (13%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2021
Imported on: N/A
Installed on: N/A
Installation log: /opt/CPInstLog//install_Major_R81_10.log
HostName:0>
... ... ...
HostName:0> show installer package 3
... ... ...
HostName:0> show installer package 3
Display name: R81.10 Gaia Fresh Install and upgrade
Description: No Description
Size: 3.18 GB
Type: Major Version
Status: Installing (100%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2021
Imported on: N/A
Installed on: Thu Mar 3 20:06:30 2021
Installation log: /opt/CPInstLog//install_Major_R81_10.log
HostName:0>
Machine is rebooted automatically.
Connect to command line on Gaia machine.
Log in.
Gaia OS prompts to run the First Time Configuration Wizard.
Example from R81.00 being upgraded to R81.10 (clean install):
login as: admin
This system is for authorized use only.
admin@172.30.41.100's password:
Last login: Thu Mar 3 13:08:47 2021
In order to configure your system, please access the Web UI and finish the First Time Wizard.
gw-aa7bc3>
gw-aa7bc3> show installer package[press Space key][press Tab key]
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
1 R81.10 Gaia Fresh Install and upgrade Major Version
gw-aa7bc3> show installer package 1
Display name: R81.10 Gaia Fresh Install and upgrade
Description: No Description
Size: 3.18 GB
Type: Major Version
Status: Installed
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: N/A
Imported on: N/A
Installed on: N/A
Installation log: N/A
gw-aa7bc3>
Connect to Gaia Portal and complete the First Time Configuration Wizard.
To uninstall a Major Version, machine should be reverted to the previous snapshot.
Where to uninstall
How to uninstall
Gaia Portal
Either select the package - click the More button on the toolbar, and click Uninstall:
(Note: Machine is rebooted automatically)
Example:
Or right-click the package and click Uninstall:
(Note: Machine is rebooted automatically)
You will get uninstall options window.
The available uninstall options are to uninstall the last Jumbo HFA Take and to uninstall completely if there were more than one Take installed:
Gaia Clish
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Show the installed packages:
HostName:0> show installer packages installed
Uninstall the desired package:
HostName:0> installer uninstall[press Space key][press Tab key]
HostName:0> installer uninstall <Package_Number>[press Space key][press Tab key]
INFO: This package is installed on top of Jumbo HFA Take 154
Select one of the following uninstall options:
completely - After uninstall, there is no version of the package installed on your machine
last-take - Only the latest Jumbo HFA Take is uninstalled. The previously installed Jumbo HFA Take remains on your machine
Machine is rebooted automatically (if required so by the uninstalled package).
These command are available in Gaia Clish to work with CPUSE:
Connect to command line on Gaia machine.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Run the applicable Gaia Clish commands:
Table of Contents for applicable actions:
Show the CPUSE Packages, Status and Agent Policy
Configure the CPUSE Agent Policy and Mail Notifications
Download, Install, Import a CPUSE package
#
Action
Commands
1
Show the CPUSE Packages, Status and Agent Policy:
HostName:0> show installermail-notifications - Show mail notifications for user
package - Show information about a specific package
packages - Show packages information
policy - Show policies configurations
status - Show status
HostName:0>
where the full syntax is:
HostName:0> show installer mail-notifications {<e-mail> | <user_number>}
Shows for which categories mail notifications were configured for specific user
Specific commands:
HostName:0> show installer mail-notifications <e-mail>
HostName:0> show installer mail-notifications[press Space key][press Tab key]
HostName:0> show installer mail-notifications <user_number>
HostName:0> show installer package <Package_Number>
Shows complete information about a specific package (name, size, status, what packages it contains, etc.)
HostName:0> show installer packages {all}
Shows brief information (name and status) about all packages in all categories
HostName:0> show installer packages available-for-download
Shows only packages with the status "Available for Download" and "Partially Downloaded"
HostName:0> show installer packages downloaded
Shows only packages with the status "Downloaded"
HostName:0> show installer packages imported
Shows only packages that were imported
HostName:0> show installer packages installed
Shows only packages that were installed
HostName:0> show installer packages recommended
Shows only recommended packages
HostName:0> show installer policy {all}
Shows CPUSE policy (how often to check for updates, which self tests to perform, etc.)
HostName:0> show installer policy check-for-updates-period
Shows how often CPUSE Agent checks for packages updates
HostName:0> show installer policy downloads
Shows download policy for "Hotfixes" (automatic / manual / scheduled)
HostName:0> show installer policy periodically-self-update
Shows if CPUSE Agent will periodically check for newer CPUSE builds
HostName:0> set installer policy downloads {automatic | manual}
Defines how CPUSE Agent should download "Hotfixes" packages
Specific commands:
HostName:0> set installer policy downloads automatic
Configures CPUSE Agent to download packages when they become available
HostName:0> set installer policy downloads manual
Configures CPUSE Agent to download packages only manually
These settings control how to download CPUSE packages of "Hotfixes" (does not apply to "Minor Versions (HFAs)" / "Major Versions" packages):
automatic
If enabled, CPUSE Agent downloads packages when they become available:
immediately after the Gaia OS boots up
each time "Status and Actions" page is accessed in Gaia Portal
each time period is defined with "set installer policy check-for-updates-period <Time_in_Hours>" command
manual
If enabled, CPUSE Agent downloads packages only manually
HostName:0> set installer policy periodically-self-update {on | off}
Defines if CPUSE Agent should periodically check for and installer newer CPUSE builds
Notes:
If this setting is enabled (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for
download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").
If this setting is disabled, then:
If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
This setting is added to the Gaia Database: installer:self_update_policy_no_permission 1
(this attribute is removed when this box is checked)
Defines which sanity tests CPUSE Agent performs after installing a CPUSE package
Specific commands:
HostName:0> set installer policy self-test install-policy {on | off}
HostName:0> set installer policy self-test network-link-up {on | off}
HostName:0> set installer policy self-test start-processes {on | off}
These settings are used for sanity checks after installing a CPUSE package:
install-policy
If enabled, CPUSE makes sure that it is possible to install a policy
network-link-up
If enabled, CPUSE makes sure that all the configured network interfaces on the Gaia machine are up
start-processes
If enabled, CPUSE makes sure that Check Point processes are running
3
Download, Install, Import a CPUSE package:
HostName:0> installeragent - Perform Deployment agent actions
check-for-updates - Check for new available packages in Check Point cloud
clean-install - Clean install a new major version
delete - Delete package
download - Download package
download-and-install - Download and install package
import - Import package
install - Install package
reinstall - Renstall package
uninstall - Uninstall package
upgrade - Upgrade to a new major version
verify - Verify if package is compatible with this machine
HostName:0>
where the syntax is:
HostName:0> installer agent disable
Disables CPUSE Agent
Notes:
This command disables all CPUSE Agent actions
This command survives reboot
This command is used with the "installer agent enable" command
Important: Must wait at least 10 seconds after running the "installer agent disable" command and before running the "installer agent enable" command; and vice versa
HostName:0> installer agent enable
Enables CPUSE Agent (if it was disabled with "installer agent disable")
Notes:
This command enables all CPUSE Agent actions
This command survives reboot
This command is used with the "installer agent disable" command
Important: Must wait at least 10 seconds after running the "installer agent disable" command and before running the "installer agent enable" command; and vice versa
HostName:0> installer agent start
Starts CPUSE Agent (if it was stopped with the "installer agent stop" command)
Notes:
This command starts all CPUSE Agent actions
This command survives reboot
This command is used with the "installer agent stop" command
Important: Must wait at least 10 seconds after running the "installer agent stop" command and before running the "installer agent start" command; and vice versa
When running this command, the error "NMINST9999 Timeout waiting for response from database server" might appear, although the command worked; if you run this command again, the message "Deployment agent is already running" will appear
HostName:0> installer agent stop
Stops the CPUSE Agent
Notes:
This command stops all CPUSE Agent actions
This command does not survive reboot
This command is used with the "installer agent start" command
Important: Must wait at least 10 seconds after running the "installer agent stop" command and before running the "installer agent start" command; and vice versa
Verifies if the specified CPUSE package can be installed without conflicts
The progress (in per cent) of the download / install / uninstall actions appears in "Gaia Portal" - "Upgrades (CPUSE)" section and in the output of the Gaia Clish command "show installer package <Package_Number>".
This section (yellow rectangular at the top) shows important static messages - e.g., about CPUSE license, whether a reboot / restart of the Check Point services is required.
Note: To see complete technical details about the operations performed by CPUSE (Gaia Software Updates) Agent, refer to /opt/CPInstLog/DeploymentAgent.log.* files.
The general messages from CPUSE Agent appear in the Event Log.
In "Gaia Portal" - go to the "Upgrades (CPUSE)" section - click the "Status and Actions" page - scroll to the bottom - click the "Event Log" button:
Notes:
This window shows the general messages only for the last 10 minutes.
Events in this window appear in the ascending order (the latest event is at the top).
To see the full log file, click the the Save full event log button in the upper right corner. Web browser will save the /opt/CPInstLog/DA_UI.log file to your computer (events in this file appear in the descending order - the latest event is at the bottom).
Events in the pop-up are marked by different icons:
Check Point's software updates and Jumbo Hotfix Accumulators, for security fixes and feature improvement.
Released after fixes for issue(s) were developed and tested.
Major Versions
Introduce new functions and cutting edge innovative technologies to the market while maintaining high product quality.
All packages appear in a hierarchy - parent package and its child packages are nested.
Notes (see example screenshots below):
Each category can be collapsed or expanded by clicking on the category title.
When clicking on the category title, the explanation about the category appears in the right section.
The number of packages in each category appears to the right of the category title (in the end of the line).
The number of packages that appear depends on the current filter (see the next bullet).
If all the recommended packages in the category were already installed, then it will show "Aligned with the latest version".
The recommended software updates are marked by a yellow star on the package icon.
(Note: this yellow star appears only if the Gaia machine is connected to the Internet (this information is obtained from Check Point Cloud).
Software packages that were installed as part of another package (an accumulative hotfix that includes several hotfixes inside, or an HFA that includes several package) appears with the status "Installed As Part Of Another Package" and will be grayed out.
A package that was already downloaded / installed, can be exported from this Gaia machine for backup purposes, or to be transferred to another Gaia machine (for example, if another Gaia machine is disconnected from the Internet):
Note: Currently, this operation is available only in Gaia Portal.
Export the package:
Right-click the package
Click Export Package
The package will be saved on your computer as a special TAR archive file that contains the necessary files.
Note: Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already downloaded / installed (see the instructions how to export a CPUSE package in Gaia Portal). Do not change the package name.
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal on the target Gaia OS.
Obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
Navigate to the Upgrades (CPUSE) section, click the Status and Actions page.
In the upper right corner, click the Import Package button:
In the Import Package window, click Browse... - select the CPUSE offline package (TGZ file) / exported package (TAR file) - click Import.
Cannot import package <Name_of_File>. It is not a valid CPUSE package.
Refer to the package's official documentation to get a list of compatible machines. For more information, contact Check Point Technical Services.
Example:
Popup at the bottom:
Event Log entry:
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Transfer the CPUSE offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_package/).
Connect to command line on the target Gaia OS.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Import the package from the hard disk:
Note: When import completes, this package is deleted from the original location.
HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR>
Example:
HostName:0> installer import local /var/log/path_to_pkg/Check_Point_Hotfix_R81_10.tgz
Verify the package to see whether this package can be installed without conflicts:
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal.
Obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
Navigate to the Upgrades (CPUSE) section - click the Status and Actions page.
Initiate the Verifier:
Either select the package - click the More button on the toolbar - click Verifier:
Or right-click the package - click Verifier:
Result of this test appears in a pop-up.
One of these:
Installation is allowed
Upgrade is allowed
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Note: This requires connection to the Internet and to Check Point Cloud (refer to section "System requirements and limitations" - requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal.
Obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
Navigate to the Upgrades (CPUSE) section - click the Status and Actions page.
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:
Notes:
Currently, only these keys are supported in this field: Left/Right arrow, Delete, Backspace.
Downloading the hotfix by its URL is not supported.
Packages that are not suitable for this machine, will not be available.
Example:
Paste the hotfix name in the pop-up search window:
Click the magnifying glass icon to start the search
When the package is found, it appears as a link along with its title and release date.
Click the package to add it to the list of available packages.
Example:
The package will be added with the status Available for Download.
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Note: Packages that are not suitable for this machine, will not be available.
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page
This setting is used for sanity test after installing a CPUSE package.
If this box is checked, then CPUSE runs a fall-back procedure if the installed CPUSE package fails one of the sanity tests enabled in the Self Tests to perform sub-section - CPUSE would automatically restore the version that was active before the CPUSE package was installed and send a notification that the installation failed.
Periodically update new Deployment Agent version (recommended)
If this box is checked (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").
If this box is cleared, then:
Important Messages (yellow section at the top) will show "click here" to download the new version.
If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
This setting is added to the Gaia Database: installer:self_update_policy_no_permission 1 (this attribute is removed when this box is checked).
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Configure the desired CPUSE (Gaia Software Updates) Agent Policy:
HostName:0> set installer policy check-for-updates-period <Time_in_Hours>
Configures the period, in hours, between checks for available packages in the cloud.
Note: When updating CPUSE Agent from build 839, it is necessary to restart all Gaia Clish daemons for this Gaia Clish command to become available (does not apply if updating from older CPUSE builds) - refer to section "(3) Download the latest build of CPUSE Agent and What's New" - Step "(3-C) How to manually install the CPUSE Agent package" - Step 5.
Default value = 6 hours
Valid values = 0 - 240 hours (configure 0 to disable these checks)
Note: The configured period is saved in Gaia Database in seconds.
HostName:0> set installer policy downloads {automatic | manual }
Specific commands:
HostName:0> set installer policy downloads automatic
HostName:0> set installer policy downloads manual
These settings control how to download CPUSE packages (applies only to "Hotfixes" and JUMBO packages - and does not apply to "Major Versions" packages):
automatic
If enabled, CPUSE Agent downloads packages when they become available:
immediately after the Gaia OS boots up
each time "Status and Actions" page is accessed in Gaia Portal
each time period defined with "set installer policy check-for-updates-period <Time_in_Hours>" command
manual
If enabled, CPUSE Agent downloads packages only manually
HostName:0> set installer policy periodically-self-update {on | off}
Notes:
If this setting is enabled (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").
If this setting is disabled, then:
If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
This setting is added to the Gaia Database: installer:self_update_policy_no_permission 1 (this attribute is removed when this box is checked).
Click the Add button to add a user, to whom e-mail notifications should be sent.
Add the user's e-mail address and select for which categories to send the e-mail notifications - click the "OK" button.
Example:
By selecting the user's e-mail address in the list, you can see and change on-the-fly the categories, for which the e-mail notifications are sent to this user.
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Configure the desired CPUSE (Gaia Software Updates) Agent Mail Notifications:
Note: SmartConsole package will be available only on machine that is configured as Security Management Server / Multi-Domain Security Management Server, or as a StandAlone (Security Management Server and Security Gateway).
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal.
Obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
Navigate to the Upgrades (CPUSE) section (in Gaia R77.20 and above) / to Software Updates section (in Gaia R77.10 and lower) - click the Status and Actions page.
In Gaia R77.20 and above:
In Gaia R77.10 and lower:
Use the filter button near the help icon and select All:
SmartConsole package appears in the category "Minor Versions (HFAs)".
Select the SmartConsole package.
Download the SmartConsole package:
Either select the package - click the Download button on the toolbar.
Example:
Or right-click the package and click Download:
Install the SmartConsole package:
Either select the package - click the Install Update button on the toolbar.
Example:
Or right-click the package - click Install Update:
The SmartConsole package will be unpacked.
Gaia Portal will offer to download the SmartConsole.exe file.
Example:
The SmartConsole package can now be downloaded from Gaia Portal in the these places:
Go to the Overview section - click the Download Now button:
Go to the Maintenance section - click the Download Smart Console page:
Note: For details about Gaia Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Gaia Clish.
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Get the available packages:
HostName:0> show installer packages available-for-download
Note: SmartConsole package appears in the category "HFAs".
Example:
HostName:0> show installer packages available-for-download
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
... ... ...
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Display name Status
R77 Hotfix for sk95056 (UDP Drops) Available for Download
R77 SmartConsole for Windows Available for Download
R77.20 Gaia Software Updates Package for R77 Available for Download
R77.30 Gaia Software Updates Package for R77 Available for Download
** ************************************************************************* **
** Majors **
** ************************************************************************* **
... ... ...
HostName:0>
HostName:0> show installer package[press Space key][press Tab key]
HostName:0> show installer package <Package_Number>
Example:
HostName:0> show installer package 16
Display name: R77 SmartConsole for Windows
Description: Check Point R77 SmartConsole for Windows:
1. Download SmartConsole package on the Gaia server.
2. Install the package - It will be automatically downloaded
to your client machine, and will also be available in Overview Download Now.
Size: 292.51 MB
Type: HFA
Status: Available for Download
Requires reboot: No
Recommended: No
Contains: None
Contained-in: None
Downloaded on: N/A
Imported on: N/A
Installed on: N/A
Installation log: N/A
HostName:0>
Download the SmartConsole package:
Note: The download progress (in per cent) appears in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page, and in the output of the Gaia Clish command "show installer package <Package_Number>".
HostName:0> installer download[press Space key][press Tab key]
HostName:0> installer download <Package_Number>
Example:
HostName:0> show installer package 16
Display name: R77 SmartConsole for Windows
Description: Check Point R77 SmartConsole for Windows:
1. Download SmartConsole package on the Gaia server.
2. Install the package - It will be automatically downloaded
to your client machine, and will also be available in Overview Download Now.
Size: 292.51 MB
Type: HFA
Status: Downloading (18%)
Requires reboot: No
Recommended: No
Contains: None
Contained-in: None
Downloaded on: N/A
Imported on: N/A
Installed on: N/A
Installation log: N/A
HostName:0>
Install the SmartConsole package:
Note: The installation progress (in per cent) appears in the output of the Gaia Clish command "show installer package <Package_Number>", and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and above) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.
HostName:0> installer install[press Space key][press Tab key]
HostName:0> installer install <Package_Number>
Example:
HostName:0> show installer package 16
Display name: R77 SmartConsole for Windows
Description: Check Point R77 SmartConsole for Windows:
1. Download SmartConsole package on the Gaia server.
2. Install the package - It will be automatically downloaded
to your client machine, and will also be available in Overview Download Now.
Size: 292.51 MB
Type: HFA
Status: Installing (30%)
Requires reboot: No
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Tue Mar 15 15:15:22 2016
Imported on: N/A
Installed on: Tue Mar 15 15:27:53 2016
Installation log: /opt/CPInstLog//install_CPUpdates_R77_SC.log
HostName:0>
The SmartConsole package will be unpacked.
If Gaia Portal is currently opened, then it will offer to download the SmartConsole.exe file.
Example:
The SmartConsole package can now be downloaded from Gaia Portal in the these places:
Go to the Overview section - click the Download Now button:
Go to the Maintenance section - click the Download Smart Console page:
The CPUSE Agent (Gaia Software Updates Agent) is installed on each Gaia-based device and it is responsible for all software deployment process on that device.
Table of Contents for this section:
Applicable Software Updates
CPUSE Agent daemon
Software update installation process
CPUSE verification checks
Suppress Reboot behavior
(5-A) Architecture and Design - Applicable Software Updates
All applicable software updates are uploaded to Check Point Download Center.
CPUSE Agent shows software updates that are applicable only to this specific machine.
Note: For each official release and recommended hotfix, CPUSE Offline package can be downloaded from the applicable solution article.
Software Updates
Description
Where / how new software updates appear
In Gaia Portal
If new software updates are available, they are appear in Upgrades (CPUSE) section - Status and Actions page with the status Available for Download.
In Gaia Clish
If new software updates are available, they are appear in the output of the show installer packages available-for-download command.
How new software updates are installed
Packages are installed based on the CPUSE (Gaia Software Updates) Agent Policy - either manually, on schedule, or automatically.
In Gaia Portal, refer to:
Upgrades (CPUSE) section
Software Updates Policy page
Download Hotfixes sub-section
In Gaia Clish, refer to:
Output of the show installer policy downloads command.
Where are downloaded software updates located
All downloaded software updates will be located in $DADIR/repository/tmp/ directory, which actually contains symbolic links to the /var/log/CPda/repository/tmp/ directory, where the downloaded software updates are physically stored
(5-B) Architecture and Design - CPUSE Agent daemon
Architecture and Design
Description
Main directory
/opt/CPda/
(environment variable $DADIR)
Main daemon
$DADIR/bin/DAService
Log files
/opt/CPInstLog/DeploymentAgent.log
Notes:
Contains detailed technical log for administrators and for troubleshooting.
Up to 10 rotated files are kept (DeploymentAgent.log.1, DeploymentAgent.log.2, etc.).
/opt/CPInstLog/DA_UI.log
Notes:
Contains general messages for users.
This log file is not rotated.
The last 10 minutes of the this log file appear in the "Event Log":
In "Gaia Portal" - go to the "Upgrades (CPUSE)" section - click the "Status and Actions" page - scroll to the bottom - click the "Event Log" button.
How to manually start the CPUSE Agent daemon
Enable the monitoring of the CPUSE Agent daemon by Check Point WatchDog:
Disable the monitoring of the CPUSE Agent daemon by Check Point WatchDog:
[Expert@HostName:0]# $DADIR/bin/dastop
Which will run this command:
cpwd_admin stop -name DASERVICE
Manually stop the CPUSE Agent daemon:
Either in Gaia Clish:
HostName:0> installer agent stop
Or in the Expert mode:
[Expert@HostName:0]# DAClient stop
(5-C) Architecture and Design - Software update installation process
When started, installation process is automatic and does not require any interaction from the user.
Which package is installed
Installation process
Hotfix or JUMBO
Pre-install validation (installation type (GW/MGMT), package validation, disk space, CRs conflicts, version compatibility).
For details about verification checks run by CPUSE, refer to sub-section (5-D) CPUSE verification checks.
Unpack the new CPUSE package.
Back up the current CPUSE package.
Stop the Check Point services ('cpstop').
Prepare diff-files (what exactly should be replaced).
Replace target files. Rollback, if installation fails.
Register the installed package in Check Point Registry.
Reboot (automatically) / Start the Check Point services ('cpstart').
Run the self-test.
Major Version (Upgrade)
Pre-install validation (installation type (GW/MGMT), package validation, disk space, CRs conflicts, version compatibility, machine type (Check Point Appliance/Open Server), upgrade path).
For details about CPUSE verification checks, refer to sub-section (5-D) CPUSE verification checks.
Create new disk partition.
Install new version files onto the new disk partition.
Configure new version, migrate the applicable configuration.
(Database on Management Server, SIC, Licenses, FireWall / VPN / SecureXL / CoreXL / Hardware configuration on Security Gateway).
Configure products on the new disk partition.
Reboot the machine from the new partition.
Import database (on Management Server), last products configurations, fetch policy (on Security Gateway).
Run post-install self-tests (as configured before the installation).
(5-D) Architecture and Design - CPUSE verification checks
Pre-Install verifications:
As part of the "Verify" actions, or at the start of each installation, CPUSE Agent runs several tests to make sure the package is compatible for the installation:
Available disk space
Content validation (conflicts with installed content)
Package is not corrupted
On Security Management Server / Multi-Domain Security Management Server, at the beginning of an upgrade, CPUSE Agent automatically runs the Pre-Upgrade Verifier - a validation tool, similar to the pre-upgrade verifier that runs as a part of the Management Server migration process.
In case of an error in one of the verification tests, the administrator is required to first follow the instructions and resolve the issue, and only then to start the upgrade again.
Post-Install self-tests:
CPUSE Agent has a self-test feature that runs after installation and checks whether the installation has succeeded - and its purpose is to validate that the Gaia OS machine is up and running.
Three checks can be configured to run:
Check Point daemons that were up and running prior to installation, are up and running post installation (enabled by default)
Local policy-fetch works (disabled by default)
Network links that were up prior to installation, are up post installation (disabled by default)
The self-test configuration is controlled:
In Gaia Portal, navigate to the Upgrades (CPUSE) section - click Policy.
In Gaia Clish, refer to set installer policy ... commands
Please note the self-test failure condition is different from a regular installation failure - during a regular installation failure, there is an automatic roll back and the machine returns to a point before the installation started.
All CPUSE packages are signed by Check Point using an SHA-256 digital signature since April 2015.
Until then, CPUSE packages were signed by MD5 and SHA-1 digital signature.
Note: If CPUSE is served from an on-premises Private ThreatCloud, then all CPUSE packages are signed at the source (i.e., by Check Point) using an ECDSA P-521/SHA-512 digital signature.
CPUSE Agent performs SHA-256 signature verification and MD5 integrity verification of the downloaded files.
If the either verification fails, the download is considered as failed.
(5-E) Architecture and Design - Suppress Reboot behavior
At the beginning of each installation / uninstall of a Hotfix or JUMBO, CPUSE Agent asks the user whether to perform a reboot automatically when install / uninstall completes. The purpose of the suppress reboot functionality is to allow the administrator to perform post-install / post-uninstall actions (that also require reboot) and thus reduce the number of reboots.
If administrator chooses to suppress the automatic reboot, then the CPUSE Agent will not reboot the machine automatically. However, some of the Gaia OS functionality will be blocked:
After installation of a Hotfix or a JUMBO:
No additional actions are allowed for the installed package (except exporting the package and deleting the package from disk)
All actions on other packages are allowed
Important Note: During the installation / uninstall of a package, all Check Point services are stopped (cpstop). Therefore, it is strongly recommended to complete all the necessary maintenance operations and reboot the machine as soon as possible, to restore the normal operation of Check Point software. For more details, refer to sk113045.
(6) Limitations, Troubleshooting and Related solutions
Тo open debug, run (no need to restart the Deployment Agent ):
da_cli edit_configuration operation=add_config PING_DEBUG=1 - to activate debug
da_cli edit_configuration operation=add_config PING_DEBUG=0 - to deactivate debug (default)
2
By default, if the Deployment Agent identifies a newer version in Download Center and if the self-update option is off, the Deployment Agent blocks the operations until the latest version is installed. To bypass this, use:
da_cli edit_configuration operation=add_config ENFORCE_NEW_DA=1 - to enable (default)
da_cli edit_configuration operation=add_config ENFORCE_NEW_DA=0 - to disable
3
Symptom: clish, DAClient and da_cli commands seem to have no effect.
Solution:
If MDPS is enabled on the Security Gateway, make sure that the shell runs on the management plane.
When MDPS is enabled on theSecurity Gateway, CPUSE service runs in the management plane, any command line interaction with CPUSE should be executed in the same plane (clish, DAClient and da_cli).
4
Symptom: Not enough free disk space on /var/log due to old packages.
After upgrade the CPUSE shows only the packages that are applicable for the current version while packages of the previous version are not deleted.
Solution:
Use "da_cli delete package=<name>"
Important note: Delete a package only if you are 100% sure there will not be any revert to previous snapshot of this version.
If, for example, after upgrade from 80.40 to 81.00 the Jumbo of 80.40 will be deleted, a revert to snapshot to 80.40 snapshot will cause the system to be unstable.
Important Note: This option was removed from Gaia Portal starting in CPUSE Agent Build 1127.
Note: This option is used only to upgrade to Major releases R75.40VS / R76 GA / R77.X (refer to the upgrade map) using the Legacy CLI upgrade package.
Download the Legacy CLI upgrade Gaia OS package of the supported Major release (R75.40VS / R76 / R77 / R77.10 / R77.20 / R77.30).
Connect to Gaia Portal.
Obtain the lock over the configuration database (click the lock icon at the top - near 'Sign Out'):
Navigate to the Upgrades (CPUSE) section (in Gaia R77.20 and higher) / to Software Updates section (in Gaia R77.10 and lower) - click the Status and Actions page.
In Gaia R77.20 and higher:
In Gaia R77.10 and lower:
Click the "Legacy Upgrade" button, upload the upgrade package to Gaia OS, and click the "Upgrade" button:
HostName:0> show installer
mail-notifications - Show mail notifications for user
package - Show information about a specific package
packages - Show packages information
policy - Show policies configurations
status - Show status
HostName:0>
where full syntax is:
HostName:0> show installer mail-notifications {<Package_Number> | <email>}
HostName:0> show installer package <Package_Number>
HostName:0> installer
agent - Perform Deployment agent actions
check-for-updates - Check for new available packages in Check Point cloud
delete - Delete package
download - Download package
download-and-install - Download and install package
import - Import package
install - Install package
uninstall - Uninstall package
upgrade - Upgrade to a new major version
verify - Verify if package is compatible with this machine
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions appears in both Gaia Clish and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.
Refer to section "(4) How to work with CPUSE" - refer to instructions for Gaia Portal.
Available Gaia Clish commands
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Configure the Gaia Software Updates Agent Policy:
HostName:0> set installer
deployment-mail-notification - Set the installer mail notifications
download_mode - Set the installer download mode to automatic, manual or schedule
install_mode - Set the installer install mode to automatic, manual or schedule
HostName:0>
Notes:
The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
Start/Stop the applicable action:
HostName:0> installer
download - Download a selected package
install - Install a selected package
restore_policy - Restore the default update policy
start - Start the installer service
stop - Stop the installer service
uninstall - Uninstall a selected package
upgrade - Upgrade a selected package
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions appears in both Gaia Clish and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.
To see software updates in Gaia Clish:
HostName:0> show installer
available_local_packages - Show available packages for install
available_packages - Show available packages for download
installed_packages - Show the installed packages on this machine
package_status - Show the packages status
HostName:0>
Notes:
"show installer available_packages" command reads the information about the packages that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_packages
Num File Name Type
1 Check_Point_R77_10_R77_20_T124.tgz Wrapper
2 Check_Point_R75.46_Fresh_Install.tgz Major Version
3 Check_Point_R75_40VS_T157.tgz Major Version
4 Check_Point_R77.10_Install_and_Upgrade.tgz Major Version
5 Check_Point_R76_T265.tgz Major Version
HostName:0>
"show installer available_local_packages" command reads the information about the packages that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_local_packages
Num File Name Type
1 Check_Point_Hotfix_R77_10_sk102673.tgz Hotfix
HostName:0>
"show installer installed_packages" command reads the information about the packages that were installed from the $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer installed_packages
Num File Name Type
1 Check_Point_SmartConsole_R75.47.tgz Wrapper
2 Check_Point_Hotfix_R75.47_sk101186.tgz Hotfix
HostName:0>
"show installer package_status" command reads the information about the status of packages from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer package_status
Num File Name Status Progress
1 Check_Point_SmartConsole_R75.47.tgz Installed
2 Check_Point_R75.46_Fresh_Install.tg... Available for Download
3 Check_Point_R76_T265.tgz Available for Download
4 Check_Point_R77.20_T124_Install_and... Partially Downloaded (5%)
5 Check_Point_R77.10_Install_and_Upgr... Available for Download
6 Check_Point_Hotfix_R75_47_sk102673.... Available for Install
7 Check_Point_R77.tgz Available for Download
8 Check_Point_R75_40VS_T157.tgz Available for Download
9 Check_Point_Hotfix_R75.47_sk101186.... Installed
10 Check_Point_Hotfix_R75.47_sk100195.... Unknown
11 Check_Point_Hotfix_R75.47_sk100431.... Unknown
12 Check_Point_R75.47_OSPF_Hotfix_sk94... Available for Download
HostName:0>
Information about the packages that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
To download a software update in Gaia Clish:
Example:
HostName:0> installer download
Num File Name Type
1 Check_Point_R75.46_Fresh_Install.tgz Major Version
2 Check_Point_R76_T265.tgz Major Version
3 Check_Point_R77.20_T124_Install_and_Upgrade.tgz Major Version
4 Check_Point_R77.10_Install_and_Upgrade_R75.4X.tgz Major Version
5 Check_Point_R77.tgz Major Version
6 Check_Point_R75_40VS_T157.tgz Major Version
7 Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz Hotfix
HostName:0>
HostName:0> installer download 7
Initiating download of Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz...
HostName:0>
HostName:0> show installer package_status
.............
12 Check_Point_R75.47_OSPF_Hotfix_sk94... Downloading (6%)
.............
HostName:0>
To install a software update in Gaia Clish:
Important Note: Requirements for free disk space exist.
Example:
HostName:0> installer install
Num File Name Type
1 Check_Point_Hotfix_R75_47_sk102673.tgz Hotfix
2 Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz Hotfix
HostName:0>
HostName:0> installer install 2
Initiating install of package 1: Check_Point_R77_hotfix_sk95245.tgz
HostName:0>
HostName:0> show installer package_status
.............
Initiating install of Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz...
.............
HostName:0>
HostName:0> show installer package_status
.............
12 Check_Point_R75.47_OSPF_Hotfix_sk94... Installing (30%)
.............
HostName:0>
To upgrade a software update in Gaia Clish:
Important Note: Requirements for free disk space exist.
Example:
HostName:0> installer upgrade
Num File Name Type
1 Check_Point_R75.46_Fresh_Install.tgz Major Version
HostName:0>
HostName:0> installer upgrade 1
Initiating upgrade of package 1: Check_Point_R75.46_Fresh_Install.tgz
HostName:0>
On this tab, user will see the available / manually uploaded hotfix packages.
When a software update is "Available for Download", click the "Download" button.
When a software update is "Available for Install", user can verify whether there are any warnings about this update and whether this update can be installed without conflicts.
Click the "Actions" button and then click the "Verifier" button (formerly known as "Check Install") - a pop-up will appear with "Verifier results".
If there are no warnings/conflicts, then click the "Install Update" button.
After a software update is installed, user can see the installation log by clicking on the 'scroll' icon in the "Logs" column.
A new window will open. Information can be selected and copied from this window.
If a software update was installed and has to be uninstalled, click the "Uninstall" button.
A software update that was already downloaded / installed, can be exported from this Gaia machine for backup purposes, or to transfer it to another Gaia machine (for example, if another Gaia machine is disconnected from the Internet):
Select the update.
Click the "Actions" button - click the "Export" button.
The update will be saved as TAR file on your computer.
A software update can be manually imported to this Gaia machine (for example, if this machine is disconnected from the Internet).
Important Note: Requirements for free disk space exist.
This feature (importing a package) supports only these types of packages:
Packages that were specifically created to be installed using Gaia Software Updates.
Obtain the lock over the configuration database (click the lock icon at the top - near "Sign Out").
Navigate to the "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" pane.
Click the "Actions" button - click the "Import" button.
Browse for the TGZ file that was provided by Check Point Support - click "Upload".
Install the uploaded package either in Gaia Portal, or in Gaia Clish - see the applicable instructions above.
Packages that were exported from another Gaia machine using Gaia Software Updates.
Export the applicable update package (that was already downloaded / installed) from a source Gaia machine (that is connected to the Internet) to your computer.
If needed, transfer this file to an external storage device.
Open the Gaia Portal of the target Gaia machine (on which this update package should be imported).
Go to "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates"section - "Status and Actions" page.
Click the "Actions" button - click the "Import" button.
Browse for the TAR file that was exported from a source Gaia machine - click "Upload".
Note: If this error appears, then incorrect package was uploaded (contact Check Point Support for assistance):
Cannot import package.
It is not a valid exported "Gaia Software Updates" package.
Customized packages / images that were created by Check Point for specific customer are added in this way:
Click the "Actions" button - click the "Add Private Hotfix" button.
In the "Add Private Package" window, paste the special link to the customized package / image (sent to you by Check Point) - click the "Add" button.
See the progress in the "Important Messages" section at the bottom (scroll down).
The customized package / image will appear in the list of available packages with the status "Available for Download".
Proceed as with regular hotfix package / image.
User can see the general progress in the "Important Messages" section at the bottom (scroll down).
For complete log, click the "History" button. Information can be selected and copied from these windows.
Notes:
In the "Important Messages" section, the messages appear from bottom-to-top (most recent log is at the top).
In the "Important Messages Log" ('History') window, the messages appear from top-to-bottom (most recent log is at the bottom).
Full Images
On this tab, user will see the available / manually uploaded upgrade packages and fresh install images.
When an image is "Available for Download", click the "Download" button.
When an image is "Available for Install", user can verify whether there are any warnings about this image and whether this image can be installed without conflicts.
Click the "Actions" button and then click the "Verifier" button (formerly known as "Check Install") - a pop-up will appear with "Verifier results".
If there are no warnings/conflicts, then click the "Install Update" button.
If an image is already installed, you can click the "Reinstall" button.
If an upgrade image was installed and has to be uninstalled, click the "Uninstall" button.
Important Note: There is no uninstall option for fresh install images.
An image that was already downloaded / installed, can be exported from this Gaia machine for backup purposes, or to transfer it to another Gaia machine (for example, if that machine is disconnected from the Internet):
Select the update.
Click the "Actions" button - click the "Export" button.
The update will be saved as TAR file on your computer.
You can store this TAR file for backup purposes, or transfer it to another Gaia machine.
An image can be manually imported to this Gaia machine (for example, if this machine is disconnected from the Internet).
Important Note: Requirements for free disk space exist.
This feature (importing an image) supports only images that were exported from another Gaia machine using Gaia Software Updates:
Export the applicable image from a source Gaia machine to your computer.
If needed, transfer this file to an external storage device.
Open the Gaia Portal of the target Gaia machine (on which this image should be imported).
Go to "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" page.
Click the "Actions" button - click the "Import" button.
Browse for the TAR file that was exported from a source Gaia machine - click "Upload".
Note:
Gaia Portal will only accept a TAR file that was exported from another Gaia machine (it contains the image TGZ file and special metadata TGZ file).
Otherwise, this error appears:
Cannot import package.
It is not a valid exported "Gaia Software Updates" package.
User can see the general progress in the "Important Messages" section at the bottom (scroll down).
For complete log, click the "History" button. Information can be selected and copied from these windows.
Notes:
In the "Important Messages" section, the messages appear from bottom-to-top (most recent log is at the top).
In the "Important Messages Log" ('History') window, the messages appear from top-to-bottom (most recent log is at the bottom).
Available Gaia Clish commands
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Configure the Gaia Software Updates Agent Policy:
HostName:0> set installer
deployment-mail-notification - Set the installer mail notifications
download_mode - Set the installer download mode to automatic, manual or schedule
install_mode - Set the installer install mode to automatic, manual or schedule
HostName:0>
Notes:
The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
For more information about "deployment-mail-notification", refer to "Configuring e-mail notifications in Gaia Clish" section.
Start/Stop the applicable action:
HostName:0> installer
download - Download a selected package
install - Install a selected package
restore_policy - Restore the default update policy
start - Start the installer service
stop - Stop the installer service
uninstall - Uninstall a selected package
upgrade - Upgrade a selected package
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions appears in both Gaia Clish and in "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" page.
To see software updates in Gaia Clish:
HostName:0> show installer
available_local_packages - Show available packages for install
available_packages - Show available packages for download
installed_packages - Show the installed packages on this machine
package_status - Show the packages status
HostName:0>
Notes:
"show installer available_packages" command reads the information about the packages that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_packages
List of available packages for download:
[1]. R75.46 - Check_Point_R75.46_Fresh_Install.tgz (1.48 GB) - <b>R75.46 is a maintenance release for R75.40 and R75.45 with important Check Point product updates.<br>For more about this release, see the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90960" target="_blank">R75.46 home page</a>.</b>
[2]. R77_SC - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB) - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz
HostName:0>
"show installer available_local_packages" command reads the information about the packages that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_local_packages
List of available packages for install:
[1]. HOTFIX_GULLI_UDP_FIX - Check_Point_R77_UDP_Hotfix_sk95056.tgz (206.90 KB) - Check_Point_R77_UDP_Hotfix_sk95056.tgz
[2]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.
For more about this release - <a& href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b>
[3]. HOTFIX_GULLI_HF1 - Check_Point_R77_hotfix_sk95245.tgz (2.99 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
[4]. BUNDLE_DUMMY - Check_Point_Hotfix_Bundle.tgz (206.90 KB) - Check_Point_Hotfix_Bundle.tgz
[5]. HOTFIX_GULLI_HF2 - Check_Point_hotfix_R77_sk96269.tgz (2.97 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
HostName:0>
"show installer installed_packages" command reads the information about the packages that were installed from the $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
"show installer package_status" command reads the information about the status of packages from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).
Information about the packages that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
To download a software update in Gaia Clish:
Example:
HostName:0> installer download
List of available packages for download:
[1]. R75.46 - Check_Point_R75.46_Fresh_Install.tgz (1.48 GB) - <b>R75.46 is a maintenance release for R75.40 and R75.45 with important Check Point product updates.<br>For more about this release, see the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90960" target="_blank">R75.46 home page</a>.</b>
[2]. R77_SC - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB) - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz
HostName:0>
HostName:0> installer download 2
Initiating download of package 2: Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB)
HostName:0>
HostName:0> show installer package_status
.............
Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz - Downloading (2.95 MB/s) - Progress: 6%
.............
HostName:0>
To install a software update in Gaia Clish:
Important Note: Requirements for disk space exist - refer to "System requirements and limitations" section.
Example:
HostName:0> installer install
List of available packages for install:
[1]. HOTFIX_GULLI_HF1 - Check_Point_R77_hotfix_sk95245.tgz (2.99 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
[2]. BUNDLE_R77_10 - Check_Point_R77.10_EA_T72_4SEs.tgz (202.19 MB) - Check_Point_R77.10_EA_T72_4SEs.tgz
[3]. HOTFIX_GULLI_HF2 - Check_Point_hotfix_R77_sk96269.tgz (2.97 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding.
[4]. HOTFIX_GULLI_UDP_FIX - Check_Point_R77_UDP_Hotfix_sk95056.tgz (206.90 KB) - Check_Point_R77_UDP_Hotfix_sk95056.tgz
[5]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.<br> For more about this release - <a href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b>
HostName:0>
HostName:0> installer install 1
Initiating install of package 1: Check_Point_R77_hotfix_sk95245.tgz
HostName:0>
HostName:0> show installer package_status
.............
Check_Point_R77_hotfix_sk95245.tgz - Installing - Progress: 3%
.............
HostName:0>
To upgrade a software update in Gaia Clish:
Important Note: Requirements for disk space exist - refer to "System requirements and limitations" section.
Example:
HostName:0> installer upgrade
List of available packages for upgrade:
[1]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.<br> For more about this release - <a href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b>
HostName:0>
HostName:0> installer upgrade 1
Initiating upgrade of package 1: Check_Point_R77.tgz
HostName:0>
When a software update is "Available for Download", click the "Download" button.
When a software update is "Available for Install", click the "Check Install" button to check whether this software update can be installed without conflict. If there are no warnings/conflicts, then click the "Install" button.
If a software update was installed and has to be uninstalled, click the "Uninstall" button.
Available Gaia Clish commands
Obtain the lock over Gaia configuration database:
HostName:0> lock database override
Configure the Gaia Software Updates Agent Policy:
HostName:0> set installer
deployment-mail-notification - Set the installer mail notifications
download_mode - Set the installer download mode to automatic, manual or schedule
install_mode - Set the installer install mode to automatic, manual or schedule
HostName:0>
Notes:
The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
Start/Stop the applicable action:
HostName:0> installer
download - Download a selected package
install - Install a selected package
restore_policy - Restore the default update policy
start - Start the installer service
stop - Stop the installer service
uninstall - Uninstall a selected package
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions appears only in "Gaia Portal" - "Software Updates" - "Status and Actions".
To see software updates in Gaia Clish:
HostName:0> show installer
available_local_packages - Show available packages for install
available_packages - Show available packages for download
installed_packages - Show the installed packages on this machine
package_status - Show the packages status
HostName:0>
Notes:
"show installer available_packages" command reads the information about the files that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_packages
List of available packages for download:
[1]. R75.40 - R75.40_2.tgz (804.64 MB) - R75.40
[2]. R77 - R77.tgz (1.10 GB) - R77 Take 34
[3]. R76_GA - R76_GA.tgz (1.06 GB) - R76
HostName:0>
"show installer available_local_packages" command reads the information about the files that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
List of available packages for install:
[1]. software update_GIZMO_PING_DUMMY_002 - Check_Point_GIZMO_DUMMY_002_Bundle.tgz (31.38 KB) - Check_Point_GIZMO_DUMMY_002_Bundle.tgz
HostName:0>
"show installer package_status" command reads the information about the status of software updates from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer package_status
Check_Point_GIZMO_DUMMY_002_Bundle.tgz - Available for install
R77.tgz - Available for download
R75.40_2.tgz - Available for download
R76_GA.tgz - Available for download
HostName:0>
Information about the files that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
To download a software update in Clish:
Example:
HostName:0> installer download
List of available packages for download:
[1]. R75.40 - R75.40_2.tgz (804.64 MB) - R75.40
[2]. R77 - R77.tgz (1.10 GB) - R77 Take 34
[3]. R76_GA - R76_GA.tgz (1.06 GB) - R76
HostName:0>
HostName:0> installer download 2
Initiating download of package 2: R77.tgz (1.10 GB)
HostName:0>
HostName:0> show installer package_status
Check_Point_GIZMO_DUMMY_002_Bundle.tgz - Available for install
R77.tgz - Downloading
R75.40_2.tgz - Available for download
R76_GA.tgz - Available for download
HostName:0>
"Latest build of CPUSE and What's New" section - added new GA Build 2229
27 July 2022
"Latest build of CPUSE and What's New" section - added new GA Build 2208
10 July 2022
"Latest build of CPUSE and What's New" section - added new GA Build 2205
24 May 2022
"Latest build of CPUSE and What's New" section - added new GA Build 2193
04 May 2022
Improved formatting
"(4-D) "How to ..." section - restored the sub-section "How to download SmartConsole package from Gaia Portal"
21 March 2022
"Latest build of CPUSE and What's New" section - added new GA Build 2176
30 Jan 2022
"Latest build of CPUSE and What's New" section - added new GA Build 2154
14 Dec 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2140
14 Nov 2021
"(6) Limitations, Troubleshooting and Related solutions" - added point #4
07 Oct 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2113
02 Sep 2021
Updating screenshots and removed documentation for unsupported versions (77.10 and below)
24 Aug 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2101
08 Jul 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2084
18 Apr 2021
"(6) Limitations, Troubleshooting and Related solutions" - added a Troubleshooting scenario #3
11 Apr 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2047
07 Feb 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2019
14 Dec 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1999
25 Nov 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1986
28 Oct 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1976
23 Sep 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1959
10 Sep 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1935
20 Aug 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1931
19 Jul 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1928
30 Jun 2020
Updated (6) Troubleshooting
18 Jun 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1905
16 Apr 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1889
16 Feb 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1865
09 Feb 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1858
16 Jan 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1848
10 Dec 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1832
27 Nov 2019
Added section (4-B-d) Perform a clean install or upgrade of a Blink image
20 Nov 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1818
03 Oct 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1786
19 Aug 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1751
11 Aug 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1731
16 July 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1728
01 July 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1722
05 June 2019
Added a note that CPUSE package is not compatible with R80.20SP
14 May 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1677
01 May 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1676
31 Mar 2019
Updated setion 4C - "How to uninstall a CPUSE package"
26 Mar 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1671
17 Mar 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1669
23 Jan 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1580
28 Nov 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1577
29 Sep 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1573
26 Sep 2018
Added link to R80.20 Gaia Administration Guide
15 July 2018
Added R80.20 to Versions list
25 June 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1511
24 June 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1510
14 June 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1508
06 May 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1483
08 Apr 2018
Updated Section (2) System requirements and limitations, item G.
12 Feb 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1439
02 Jan 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1418
26 Nov 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1405
10 Oct 2017
Corrected the import instructions in Gaia Portal - correct the name of the button from "Upload" to "Import".
08 Oct 2017
Renamed the "Latest build of CPUSE and What's New" section to the "Download the latest build of CPUSE Agent and What's New".
24 Sep 2017
"Latest build of CPUSE and What's New" section - "(3-D) History of older CPUSE Agent builds" subsection - updated the text to show that build 1130 is integrated into R80 GA version.
27 Aug 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1298.
23 Aug 2017
"Troubleshooting and Related solutions" section - added sk104479.
17 Aug 2017
"Troubleshooting and Related solutions" section - added sk119993.
16 Aug 2017
"Troubleshooting and Related solutions" section - added sk119954.
24 July 2017
"Latest build of CPUSE and What's New" section - added a note that restarting the ConfD daemon should be performed during a maintenance window.
06 July 2017
"System requirements and limitations" section - updated a note that on VSX R80.10, any package can be installed using CPUSE.
27 June 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1294.
21 June 2017
Updated the instructions for importing a package in Gaia Portal (by clicking on the Import Package button on the main page).
Added link to R80.10 Gaia Administration Guide.
16 June 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1293.
18 May 2017
Added R80.10 version to the article.
25 Apr 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1283.
04 Apr 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1278.
28 Mar 2017
Updated the title of this article from "CPUSE - Gaia Software Updates (including Gaia Software Updates Agent)" to "Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent".
"Latest build of CPUSE and What's New" section - added the Build 1272 back.
20 Mar 2017
"Latest build of CPUSE and What's New" section - temporarily reverted from Build 1272 to the previous Build 1130.
15 Mar 2017
Added the applicable screenshots for "Verifier" results.
13 Mar 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1272.
11 Feb 2017
"Troubleshooting and Related solutions" section - added sk114592.
05 Feb 2017
"Troubleshooting and Related solutions" section - added sk115719.
15 Jan 2017
"Troubleshooting and Related solutions" section - added sk115515.
31 Dec 2016
"(4-A) "How to ..." section - improved import instructions for Offline procedure in Gaia Portal.
"Troubleshooting and Related solutions" section - added sk111158, sk115243.
19 Nov 2016
"(4-A) "How to ..." section - improved notes about VSX mode.
"(4-B) "How to ..." section - improved notes about VSX mode.
"(4-B) "How to ..." section - "(4-B-b)" subsection - added a list of files that are copied by CPUSE during an upgrade to a Major Version.
14 Nov 2016
"(4-D) "How to ..." section - improved notes.
03 Nov 2016
"System requirements and limitations" section - added clarifications about the required license and contract.
02 Oct 2016
"Latest build of CPUSE and What's New" section - added new Build 1130.
"System requirements and limitations" section - added instructions for allowing CPUSE to work with Check Point cloud.
29 Jan 2015
"System requirements and limitations" section - updated the information that option "Automatically download Contracts and other important data (Recommended)" should be enabled in SmartDashboard.
05 Oct 2014
Added description for Gaia Software Updates Agent version from 710 to 747.
11 Sep 2014
"Overview" - "Description" section - added a note that CPuse mechanism supports deployment of Major Versions (starting from build 502).
19 Aug 2014
"Software Updates Notifications" section - updated the information.
Updated the notes for "set installer" commands.
24 July 2014
Added a note about the "ping" syntax in $DADIR/bin/connection_test.sh script if Gaia machine is disconnected from the Internet.
15 June 2014
"Related solutions" section - added this new section.
12 May 2014
Updated the information about the "Import" operation in Gaia Portal.
17 Mar 2014
Improvements in HTML design.
26 Jan 2014
Added notes about importing an image / package.
Modified manual installation instructions.
12 Dec 2013
Added description for Gaia Software Updates Agent versions from 502 to 615.
03 Mar 2013
First release of this document.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
- Information
- Success
- Warning
- Error
