Check Point Update Service Engine (CPUSE), also known as Gaia Software Updates [Agent], is an advanced and intuitive mechanism for software deployment on Gaia OS, which supports deployments of single HotFixes (HF), of HotFix Accumulators (HFA), and of Major Versions.
Gaia Software Updates offers a Smarter, Faster and Safer deployment solution:
Smarter
Discover only relevant software updates
Reboot only if required
Auto authentication with Download Center
View hierarchy of software updates
E-mail notification for new updates
Faster
Fast download (smaller package size)
Fast installation
Short down time
Safer
Upgrade to next Major Version is performed on a new disk partition and preserves Gaia OS configuration
Valid license has to be installed on the target machine.
Valid Software Subscription or Technical Support Contract has to be associated with the license.
The Contract File must be installed on the target machine. Please allow up to 24 hours after installing the Contract File before using CPUSE.
Notes:
There is a 30 days grace period upon first installation/activation of the Gaia Software Updates Agent, during which no license is needed at all.
Evaluation License is not enough to enable Gaia Software Updates. A real valid support license is required. Access to Check Point Download Server is available via subscription only. An Evaluation License is not sufficient to grant download access from the User Center.
B
Connection to the Internet
Gaia machine should be connected to the Internet:
To perform online self-update of CPUSE Agent
To obtain Software Updates from Check Point Cloud
Note: The option "Automatically download Contracts and other important data (Recommended)" should be enabled per sk94508 (SmartConsole - "Policy" menu - "Global Properties" - "Security Management Access").
Manual offline installation of CPUSE packages is available if Gaia machine is disconnected from the Internet.
C
CPUSE communication with Check Point cloud
To allow CPUSE to communicate with Check Point cloud, follow the steps below in SmartDashboard.
An explicit firewall rule has to be created in the following scenarios:
#
Scenario description
Which explicit firewall rule to create
Traffic Source
Traffic Destination
Traffic proto / ports
Where to install / apply the explicit rule
1
Check Point Security Gateway running on Gaia OS, which must connect to Check Point cloud.
Implied rule "Accept outgoing packets originating from Gateway" is disabled in Policy menu - Global Properties... - FireWall pane.
Create an explicit firewall rule for this Check Point Security Gateway (see procedure below) to allow the communication between CPUSE on this Check Point Security Gateway and Check Point cloud.
Check Point Security Gateway
Check Point domains
Relevant HTTP / HTTPS / DNS traffic
Check Point Security Gateway
2
Perimeter Check Point Security Gateway that protects internal Check Point machine running on Gaia OS, which must connect to Check Point cloud.
Create an explicit firewall rule for the Perimeter Check Point Security Gateway (see procedure below) to allow the communication between CPUSE on internal Check Point machine and Check Point cloud.
Internal Check Point machine
Check Point domains
Relevant HTTP / HTTPS / DNS traffic
Perimeter Check Point Security Gateway
3
Perimeter non-Check Point FireWall that protects Check Point machine running on Gaia OS, which must connect to Check Point cloud.
Create an explicit firewall rule (for reference, see procedure below) for this non-Check Point FireWall to allow the communication between CPUSE on internal Check Point machine and Check Point cloud.
Internal Check Point machine
Check Point domains
Relevant HTTP / HTTPS / DNS traffic
Perimeter non-Check Point FireWall
Procedure for Check Point Security Gateway:
Note: For non-Check Point FireWall, the equivalent rule must be created. Related solution: sk83520.
Create the following Domain objects for Check Point domains and for Akamai domain (note the dot in the beginning:
.updates.checkpoint.com
.updates.g01.checkpoint.com
.gwevents.checkpoint.com
.gwevents.us.checkpoint.com
.deploy.static.akamaitechnologies.com
Instructions:
Go to "Manage" menu - click on "Network Objects..."
Click on "New..." button - select "Domain..."
In the "Name" field, paste the name of the domain listed above (note the dot in the beginning) and click on "OK".
Repeat Steps i-iii for all domains listed above.
Click on "Close" button.
Create the following Firewall security rule for the involved Security Gateway (use predefined services):
Important Note: Rules with Domain Objects should be located as low as possible in the rulebase.
For Scenario #1 - Check Point Security Gateway running on Gaia OS (and implied rule "Accept outgoing packets originating from Gateway" is disabled)
SOURCE
DESTINATION
SERVICE
ACTION
INSTALL ON
Check Point Security Gateway
.updates.checkpoint.com
.updates.g01.checkpoint.com
.gwevents.checkpoint.com
.gwevents.us.checkpoint.com
.deploy.static.akamaitechnologies.com
http
https
HTTP_and_HTTPS_proxy
domain-udp
Accept
Check Point Security Gateway
For Scenario #2 - Perimeter Check Point Security Gateway that protects internal Check Point machine
SOURCE
DESTINATION
SERVICE
ACTION
INSTALL ON
Internal Check Point machine
.updates.checkpoint.com
.updates.g01.checkpoint.com
.gwevents.checkpoint.com
.gwevents.us.checkpoint.com
.deploy.static.akamaitechnologies.com
http
https
HTTP_and_HTTPS_proxy
domain-udp
Accept
Perimeter Check Point Security Gateway
Install the policy onto involved Security Gateway.
D
CPUSE Agent update to the latest version
On online Gaia machine (that is connected to the Internet):
CPUSE Agent must always be updated to the latest available version before being able to perform any action.
It is recommended to leave the default CPUSE Agent policy set to "Periodically update new Deployment Agent version (recommended)".
On offline Gaia machine (that is disconnected from the Internet), it is strongly recommended to always update the CPUSE Agent to the latest available build.
E
Upgrade
Upgrade to a higher Major Version (e.g., from R76 to R77.X) using CPUSE will not be available on these machines/appliances:
On Security Gateway in VSX mode, upgrade via CPUSE is supported only from R77 / R77.10 / R77.20 / R77.30 to R80.10 and higher.
Major Upgrade using CPUSE on IP Appliances running Gaia OS is supported only in Clish.
F
Free disk space
To import a CPUSE package, the /var/log/ partition on Gaia OS must have enough free disk space - at least twice the size of the package you want to import.
To see the amount of available disk space in /var/log/ partition, run the following command in Expert mode:
[Expert@Gaia:0]# df -h | grep -E "Avail|/var/log"
Filesystem Size Used Avail Use% Mounted on
11G 286M 9.9G 3% /var/log
[Expert@Gaia]#
To upgrade to a higher Major Version, or to perform Clean Installation using CPUSE, machine must have enough unallocated (unpartitioned) disk space - at least as the size of the root partition.
Run the following commands in Expert mode:
Check the size of the "root" partition:
[Expert@HostName:0]# df -h | grep -E "Avail|\/$"
Example:
[Expert@Gaia:0]# df -h | grep -E "Avail|\/$"
Filesystem Size Used Avail Use% Mounted on
17G 9.1G 6.6G 59% /
[Expert@Gaia]#
Check the amount of unallocated (unpartitioned) disk space:
(4-A) How to work with CPUSE - How to download and import a CPUSE package
Show this sub-section
Important Note: After the desired CPUSE package is downloaded / imported, proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
The online procedure in Gaia Portal can be used in the following cases:
Gaia machine is connected to the Internet (meaning, full access to Check Point Cloud - refer to section "System requirements and limitations" - requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
CPUSE package is available on the Check Point Cloud.
Gaia machine is not running in VSX Mode (in which case, Gaia Portal is not available).
Connect to Gaia Portal and obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to Upgrades (CPUSE) section - click on Status and Actions page.
All packages are displayed in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see:
Verify the package - check whether this package can be installed without conflicts:
Either select the package - click on the More button on the toolbar - click on Verifier:
Or right-click on the package - click on Verifier:
Result of this test should be:
Installation is allowed
Upgrade is allowed
Examples:
For Hotfix package:
For Minor / Major Version:
Download the package in relevant category:
Note: The download progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
Category
Instructions
Hotfixes
Option 1 - only download the package:
Select the package.
Download the package:
Either select the package - click on More button on the toolbar, and click on Download:
Or right-click on the package and click on Download:
You can pause the download at any time:
Either select the package and click on Pause button on the toolbar:
Or right-click on the package and click on Pause:
The status of the package will change to "Pausing Download" and then to "Partially Downloaded":
You can resume the download at any time:
Either select the package and click on Resume button on the toolbar:
Or right-click on the package and click on Resume:
The status of the package will change to "Resuming Download" and then to "Downloading":
Option 2 - download and install the package in one step:
Either select the package and click on Install Update button on the toolbar:
Or right-click on the package and click on Install Update:
Minor Versions (HFAs) and Major Versions
Select the package.
Download the package:
Either select the package - click on Download button on the toolbar:
Or right-click on the package and click on Download:
You can pause the download at any time:
Either select the package and click on Pause button on the toolbar:
Or right-click on the package and click on Pause:
The status of the package will change to "Pausing Download" and then to "Partially Downloaded":
You can resume the download at any time:
Either select the package and click on Resume button on the toolbar:
Or right-click on the package and click on Resume:
The status of the package will change to "Resuming Download" and then to "Downloading":
Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page.
Notes:
Currently, only the following keys are supported in this field: Left/Right arrow, Delete, Backspace.
Downloading the hotfix by its URL is not supported.
Packages that are not suitable for this machine, will not be available (e.g., if some Take of a Jumbo Hotfix Accumulator is installed, then Takes lower than the current Take will not be available).
Examples:
Example #1
Example #2
Copy the hotfix name from Download Page on Check Point site:
Paste the hotfix name in the pop-up search window:
CPUSE Identifier of a Jumbo Hotfix Accumulator is: Check_Point_R77_20_JUMBO_HF_1_Bundle_T23.tgz:
Click on the magnifying glass icon to start the search.
Example:
When the package is found, it will be displayed as a link along with its title and release date.
Example:
Click on the package to add it to the list of available packages.
Example:
The package will be added with status Available for Download, and the filter will automatically change to show all packages.
Verify the package - check whether this package can be installed without conflicts:
Either select the package - click on the More button on the toolbar - click on Verifier:
Or right-click on the package - click on Verifier:
Result of this test should be:
Installation is allowed
Upgrade is allowed
Examples:
For Hotfix package:
For Minor / Major Version:
Download the package:
Note: The download progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
Option 1 - only download the package:
Option 2 - download and install the package in one step:
Select the package.
Download the package:
Either select the package - click on More button on the toolbar, and click on Download:
Or right-click on the package and click on Download:
You can pause the download at any time:
Either select the package and click on Pause button on the toolbar:
Or right-click on the package and click on Pause:
The status of the package will change to "Pausing Download" and then to "Partially Downloaded":
You can resume the download at any time:
Either select the package and click on Resume button on the toolbar:
Or right-click on the package and click on Resume:
The status of the package will change to "Resuming Download" and then to "Downloading":
Either select the package and click on Install Update button on the toolbar:
Or right-click on the package and click on Install Update:
If you only downloaded the package (without installing it), then proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
The online procedure in Gaia Clish can be used in the following cases:
Gaia machine is connected to the Internet (meaning, full access to Check Point Cloud - refer to section "System requirements and limitations" - requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
CPUSE package is available on the Check Point Cloud.
If this Gaia machine is running in VSX Mode, then refer to section "(2) System requirements and limitations" - subsection "G. VSX Gateways".
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Check the available packages (run the relevant command):
HostName:0> show installer packages recommended
HostName:0> show installer packages available-for-download
HostName:0> show installer package[press Space key][press Tab key] HostName:0> show installer package <Package_Number>
Download the desired package from the Check Point Cloud:
Note: The download progress (in per cent) is displayed in the output of Clish command "show installer package <Package_Number>", and in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page.
Note: Packages that are not suitable for this machine, will not be available.
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:
Examples:
Example #1
Example #2
Copy the hotfix name from Download Page on Check Point site:
Use the hotfix name in the syntax
CPUSE Identifier of a Jumbo Hotfix Accumulator is: Check_Point_R77_20_JUMBO_HF_1_Bundle_T23.tgz
Show the imported packages:
HostName:0> show installer packages imported
Verify the package - check whether this package can be installed without conflicts:
The offline import procedure in Gaia Portal can be used in the following cases:
Gaia machine is disconnected from the Internet (meaning, no access to Check Point Cloud).
CPUSE package is not available on the Check Point Cloud.
Although Gaia machine is connected to the Internet, administrator wishes to manually import a CPUSE package instead of downloading it from Check Point Cloud.
Gaia machine is not running in VSX Mode (in which case, Gaia Portal is not available).
Notes:
Starting from R81, the installed offline packages must be .tar files.
Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to section "(4) How to work with CPUSE" - "(D) Additional information about Gaia Clish commands and Gaia Portal actions for CPUSE" - "Show / Hide how to export a CPUSE package in Gaia Portal".
Requirements for free disk space exist.
For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Import procedure for Offline CPUSE package / Exported CPUSE package:
Make sure you have the relevant CPUSE offline package (TGZ file) / exported package (TAR file).
Connect to Gaia Portal on the target Gaia OS.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to Upgrades (CPUSE) section - click on Status and Actions page.
In the upper right corner, click on the Import Package button:
In the Import Package window, click on Browse... - select the CPUSE offline package (TGZ file) / exported package (TAR file) - click on Import.
Note: If the following error is displayed, then wrong package was uploaded (contact Check Point Support for assistance):
Import Failed Cannot import package <Name_of_File>. It is not a valid CPUSE package. Refer to the package's official documentation to get a list of compatible machines. For more information, contact Check Point Technical Services.
Example:
Popup at the bottom:
Event Log entry:
Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):
Verify the imported package - check whether this package can be installed without conflicts:
Either select the imported package - click on the More button on the toolbar - click on Verifier:
Or right-click on the imported package - click on Verifier:
Result of this test should be:
Installation is allowed
Upgrade is allowed
Examples:
For Hotfix package:
For Minor / Major Version:
Proceed to sub-section "(4-B) How to work with CPUSE - How to install a CPUSE package".
The offline import procedure in Gaia Clish can be used in the following cases:
Gaia machine is disconnected from the Internet (meaning, no access to Check Point Cloud).
CPUSE package is not available on the Check Point Cloud.
Although Gaia machine is connected to the Internet, administrator wishes to manually import a CPUSE package instead of downloading it from Check Point Cloud.
If this Gaia machine is running in VSX Mode, then refer to section "(2) System requirements and limitations" - subsection "H. VSX Gateways".
Notes:
Starting from R81, the installed offline packages must be .tar files.
Requires CPUSE build 802 and higher.
Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to section "(4) How to work with CPUSE" - "(D) Additional information about Gaia Clish commands and Gaia Portal actions for CPUSE" - "Show / Hide how to export a CPUSE package in Gaia Portal".
Requirements for free disk space exist.
For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Import procedure for Offline CPUSE package / Exported CPUSE package:
Make sure you have the relevant CPUSE offline package (TGZ file) / exported package (TAR file).
Transfer the CPUSE offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_package/).
Connect to command line on the target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Import the package from the hard disk:
Note: When import completes, this package is deleted from the original location.
HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR>
Example: HostName:0> installer import local /var/log/path_to_pkg/Check_Point_Hotfix_R77.tgz
Show the imported packages:
HostName:0> show installer packages imported
Verify the package - check whether this package can be installed without conflicts:
All packages are displayed in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see:
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Either select the package - click on the More button on the toolbar - click on Verifier:
Or right-click on the package - click on Verifier:
Result of this test should be:
Installation is allowed
Examples:
Install the package:
Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
Either select the package and click on Install Update button on the toolbar:
Or right-click on the package and click on Install Update:
Machine is rebooted automatically (only if required so by the installed hotfix).
All packages are displayed in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see:
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Either select the package - click on the More button on the toolbar - click on Verifier:
Or right-click on the package - click on Verifier:
Result of this test should be:
Installation is allowed
Examples:
Install the package:
Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
Either select the package and click on Install Update button on the toolbar:
Or right-click on the package and click on Install Update:
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Display the downloaded / available for install packages:
HostName:0> show installer packages
Example from R77.10:
HostName:0> show installer packages
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Display name Status
Check_Point_Hotfix_R77_10_sk102673.tgz Available for Install
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Display name Status
Check_Point_R77.10.tgz Installed
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Status
Check_Point_R77.tgz Installed
HostName:0>
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Result: Installation is allowed
Status: Available for Install
Install the desired package:
Note: The installation progress (in per cent) is displayed in the output of Clish command "show installer package <Package_Number>", and in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page.
HostName:0> installer install[press Space key][press Tab key]
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Num Display name Type
1 Check_Point_Hotfix_R77_10_sk102673.tgz Hotfix
HostName:0> installer install 1
Initiating install of Check_Point_Hotfix_R77_10_sk102673.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Package Check_Point_Hotfix_R77_10_sk102673.tgz was installed successfully.
Status: Installing (100%)
Machine is rebooted automatically (only if required so by the installed hotfix).
Note: If machine was not rebooted by the installed package, it might be necessary to connect to command line and to manually run the cpstart / mdsstart command.
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Display the downloaded / available for install packages:
HostName:0> show installer packages
Example from R77 being upgraded to R77.10:
HostName:0> show installer packages
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Display name Type
Check_Point_R77.10.tgz HFA
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Type
Check_Point_R77.tgz Major Version
HostName:0>
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Note: Once you see "Extracting Bundle", press CTRL+C.
Example from R77 being upgraded to R77.10:
HostName:0> installer install[press Space key][press Tab key]
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Num Display name Type
1 Check_Point_R77.10.tgz HFA
HostName:0> installer install 1
Initiating install of Check_Point_R77.10.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Extracting Bundle: 1%
Get the Package Number of the package being installed:
HostName:0> show installer package[press Space key][press Tab key]
Example from R77 being upgraded to R77.10:
HostName:0> show installer package[press Space key][press Tab key]
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Num Display name Type
1 Check_Point_R77.10.tgz HFA
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
2 Check_Point_R77.tgz Major Version
HostName:0>
Monitor the installation progress:
Repeatedly run this command and refer to the "Status" line:
HostName:0> show installer package <Package_Number>
Important Note: Existing OS settings and the Check Point Database are preserved during this procedure.
Notes:
Requirements for free disk space and limitations in VSX mode exist.
Upgrade to a Major version is performed on a new hard disk partition, and the "old" partition is converted into Gaia Snapshot (the new partition space is taken from the un-partitioned space on the hard disk.
During an upgrade to a Major version, the CPUSE Agent copies the following files from the current version to the target version:
The current $CPDIR/database/*authkeys.C files are copied to the target $CPDIR/database/ directory
The current $FWDIR/lib/user.def file is copied to the target $FWDIR/lib/ directory
The current $FWDIR/lib/user_early.def file is copied to the target $FWDIR/lib/ directory
The current $FWDIR/lib//defaultfilter.boot file is copied to the target $FWDIR/conf/defaultfilter.pf file
The current /etc/fw.boot/ha_boot.conf file is copied to the target /etc/fw.boot/ directory
The current /etc/fw.boot/modules/fwkern.conf file is copied to the target /etc/fw.boot/modules/ directory
The current /etc/ppk.boot/boot/modules/sim_aff.conf file is copied to the target /etc/ppk.boot/boot/modules/ directory
All packages are displayed in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see:
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Either select the package - click on the More button on the toolbar - click on Verifier:
Or right-click on the package - click on Verifier:
Result of this test should be:
Installation is allowed
Upgrade is allowed
Examples:
Install the package:
Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
Either select the package and click on Upgrade button on the toolbar:
Example:
Or right-click on the package and click on Upgrade:
CPUSE shows the following warning over Gaia Portal:
After this upgrade, there will be an automatic reboot. (Existing OS settings and the Check Point Database are preserved.)
Machine is rebooted automatically.
If you connect to command line and log in, the following notification from CPUSE will be displayed above the prompt:
Upgrade is still running. Log in to the Status and Actions page to see the progress.
Connect to Gaia Portal and obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
CPUSE shows the following pop-up over Gaia Portal:
"Upgrade is still running. Log in to the Status and Actions page to see the progress."
Example:
Navigate to Upgrades (CPUSE) section - click on Status and Actions page.
Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):
You will see the relevant progress (no need to refresh the page).
Example from R75.46 Security Management Server being upgraded to R77:
Upgrading Products
Example:
Importing Database
Example:
Configuring Products
Creating SIC Data
Stopping Processes
Example:
Starting Processes
Installed, self-test passed
Example:
Manually install the policy:
If you upgraded a Security Management Server / Multi-Domain Security Management Server, then install the policy onto all managed Security Gateways / Clusters.
If you upgrade a Security Gateway / Cluster Members, then install the policy on this Security Gateway / Cluster.
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Display the downloaded / available for install packages:
HostName:0> show installer packages
Example from R75.46 being upgraded to R77 (clean install):
HostName:0> show installer packages
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Display name Status
HOTFIX_R75.46 Installed (Legacy)
R75.46 Installed (Legacy)
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Status
Check_Point_R77.tgz Available for Install
HostName:0>
HostName:0> show installer packages downloaded
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Type
Check_Point_R77.tgz Major Version
HostName:0>
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Note: Once you see "Validating Install", press CTRL+C.
Example from R75.46 being upgraded to R77 (clean install):
HostName:0> installer upgrade[press Space key][press Tab key]
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
1 Check_Point_R77.tgz Major Version
HostName:0> installer upgrade 1
The machine will automatically reboot after installation (y/n) [n] y
Initiating upgrade of Check_Point_R77.tgz...
Note: After this upgrade, there will be an automatic reboot.
Existing OS settings and the Check Point Database are preserved.
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Validating Install: 5%
Get the Package Number of the package being installed:
HostName:0> show installer package[press Space key][press Tab key]
Example from R75.46 being upgraded to R77:
HostName:0> show installer package[press Space key][press Tab key]
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Num Display name Type
1 R75.46 Legacy Mini-Wrapper
2 HOTFIX_R75.46 Legacy Mini-Wrapper
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
3 Check_Point_R77.tgz Major Version
HostName:0>
Monitor the installation progress:
Repeatedly run this command and refer to the "Status" line:
HostName:0> show installer package <Package_Number>
Example from R75.46 being upgraded to R77 (clean install):
HostName:0> show installer package 3
Display name: Check_Point_R77.tgz
Description: No Description
Size: 1.18 GB
Type: Major Version
Status: Installing (13%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2016
Imported on: N/A
Installed on: N/A
Installation log: /opt/CPInstLog//install_Major_R77.log
HostName:0>
... ... ...
HostName:0> show installer package 3
... ... ...
HostName:0> show installer package 3
Display name: Check_Point_R77.tgz
Description: No Description
Size: 1.18 GB
Type: Major Version
Status: Installing (100%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2016
Imported on: N/A
Installed on: Thu Mar 3 20:31:53 2016
Installation log: /opt/CPInstLog//install_Major_R77.log
HostName:0>
Machine is rebooted automatically.
If you connect to command line and log in, the following notification from CPUSE will be displayed above the prompt:
Upgrade is still running. Log in to the Status and Actions page to see the progress.
Connect to Gaia Portal and obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
CPUSE shows the following pop-up over Gaia Portal:
"Upgrade is still running. Log in to the Status and Actions page to see the progress."
Example:
Navigate to Upgrades (CPUSE) section - click on Status and Actions page.
Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):
You will see the relevant progress (no need to refresh the page).
Example from R75.46 Security Management Server being upgraded to R77:
Upgrading Products
Example:
Importing Database
Example:
Configuring Products
Creating SIC Data
Stopping Processes
Example:
Starting Processes
Installed, self-test passed
Example:
Manually install the policy:
If you upgraded a Security Management Server / Multi-Domain Security Management Server, then install the policy onto all managed Security Gateways / Clusters.
If you upgrade a Security Gateway / Cluster Members, then install the policy on this Security Gateway / Cluster.
All packages are displayed in categories and by default are filtered to view recommended packages only.
Note: Use the filter button near the help icon and select the packages you wish to see:
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Either select the package - click on the More button on the toolbar - click on Verifier:
Or right-click on the package - click on Verifier:
Result of this test should be:
Installation is allowed
Upgrade is allowed
Examples:
Install the package:
Note: The installation progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
Either select the package and click on Clean Install button on the toolbar.
Example:
Or right-click on the package and click on Clean Install:
Machine is rebooted automatically.
Connect to Gaia Portal and complete the First Time Configuration Wizard.
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Display the downloaded / available for install packages:
HostName:0> show installer packages
Example from R75.46 being upgraded to R77 (clean install):
HostName:0> show installer packages
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Display name Status
HOTFIX_R75.46 Installed (Legacy)
R75.46 Installed (Legacy)
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Status
Check_Point_R77.tgz Available for Install
HostName:0>
HostName:0> show installer packages downloaded
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Display name Type
Check_Point_R77.tgz Major Version
HostName:0>
Verify the package (if you have not done it yet) - check whether this package can be installed without conflicts:
Note: Once you see "Validating Install", press CTRL+C.
Example from R75.46 being upgraded to R77 (clean install):
HostName:0> installer install[press Space key][press Tab key]
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
1 Check_Point_R77.tgz Major Version
HostName:0> installer install 1
The machine will automatically reboot after installation (y/n) [n] y
Initiating install of Check_Point_R77.tgz...
Note: This installs a new machine.
Existing OS settings and the Check Point Database will be overwritten.There will be an automatic reboot.
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Validating Install: 5%
Get the Package Number of the package being installed:
HostName:0> show installer package[press Space key][press Tab key]
Monitor the installation progress:
Repeatedly run this command and refer to the "Status" line:
HostName:0> show installer package <Package_Number>
Example from R75.46 being upgraded to R77 (clean install):
HostName:0> show installer package 3
Display name: Check_Point_R77.tgz
Description: No Description
Size: 1.18 GB
Type: Major Version
Status: Installing (13%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2016
Imported on: N/A
Installed on: N/A
Installation log: /opt/CPInstLog//install_Major_R77.log
HostName:0>
... ... ...
HostName:0> show installer package 3
... ... ...
HostName:0> show installer package 3
Display name: Check_Point_R77.tgz
Description: No Description
Size: 1.18 GB
Type: Major Version
Status: Installing (100%)
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Thu Mar 3 19:56:01 2016
Imported on: N/A
Installed on: Thu Mar 3 20:06:30 2016
Installation log: /opt/CPInstLog//install_Major_R77.log
HostName:0>
Machine is rebooted automatically.
Connect to command line on Gaia machine.
Log in.
Gaia OS prompts to run the First Time Configuration Wizard.
Example from R75.46 being upgraded to R77 (clean install):
login as: admin
This system is for authorized use only.
admin@172.30.41.100's password:
Last login: Thu Mar 3 13:08:47 2016
In order to configure your system, please access the Web UI and finish the First Time Wizard.
gw-aa7bc3>
gw-aa7bc3> show installer package[press Space key][press Tab key]
** ************************************************************************* **
** Majors **
** ************************************************************************* **
Num Display name Type
1 Check_Point_R77.tgz Major Version
gw-aa7bc3> show installer package 1
Display name: Check_Point_R77.tgz
Description: No Description
Size: 1.18 GB
Type: Major Version
Status: Installed
Requires reboot: Yes
Recommended: No
Contains: None
Contained-in: None
Downloaded on: N/A
Imported on: N/A
Installed on: N/A
Installation log: N/A
gw-aa7bc3>
Connect to Gaia Portal and complete the First Time Configuration Wizard.
Blink packages installation is similar to the Major installation
All packages are displayed in categories and by default are filtered to view recommended packages only. Note: Use the filter button near the help icon and select the packages you wish to see:
Find the relevant package under Blink section in CPUSE packages list:
For offline packages, manually import the package to CPUSE by clicking on Import Package on the top-right corner of the page:
To download a package from the list, right-click on the relevant package that is ‘Available for Download’ and click on Download
After the download completed, right-click on the package and click on Clean Install or Upgrade (if available):
Installation/Upgrade will start and you can follow the installation via CPUSE WebUI or CLI.
(4-C) How to work with CPUSE - How to uninstall a CPUSE package
If a Hotfix / Minor Version package was installed using Legacy CLI, then it can be uninstalled using the CPUSE.
If a Hotfix / Minor Version package was installed using CPUSE, then it must be uninstalled using CPUSE.
When running CPUSE Agent build 1005 and lower:
If a Hotfix / Minor Version package was installed using CPUSE, then it must be uninstalled using CPUSE.
If a Hotfix / Minor Version package was installed using Legacy CLI, then it must be uninstalled using Legacy CLI.
To uninstall a Major Version, machine should be reverted to the previous snapshot.
Where to uninstall
How to uninstall
Gaia Portal
Either select the package - click on More button on the toolbar, and click on Uninstall: (Note: Machine is rebooted automatically)
Example:
Or right-click on the package and click on Uninstall: (Note: Machine is rebooted automatically)
You will get uninstall options window. The available uninstall options are to uninstall the last Jumbo HFA Take and to uninstall completely if there were more than one Take installed:
Gaia Clish
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Show the installed packages:
HostName:0> show installer packages installed
Uninstall the desired package:
HostName:0> installer uninstall[press Space key][press Tab key] HostName:0> installer uninstall <Package_Number> [press Space key][press Tab key]
INFO: This package is installed on top of Jumbo HFA Take 154
Select one of the following uninstall options: completely - After uninstall, there is no version of the package installed on your machine last-take - Only the latest Jumbo HFA Take is uninstalled. The previously installed Jumbo HFA Take remains on your machine
Machine is rebooted automatically (if required so by the uninstalled package).
HostName:0> show installermail-notifications - Show mail notifications for user
package - Show information about a specific package
packages - Show packages information
policy - Show policies configurations
status - Show status
HostName:0>
where the full syntax is:
HostName:0> show installer mail-notifications {<e-mail> | <user_number>} Shows for which categories mail notifications were configured for specific user
Specific commands:
HostName:0> show installer mail-notifications <e-mail>
HostName:0> show installer mail-notifications[press Space key][press Tab key] HostName:0> show installer mail-notifications <user_number>
HostName:0> show installer package <Package_Number> Shows complete information about a specific package (name, size, status, what packages it contains, etc.)
HostName:0> show installer packages {all} Shows brief information (name and status) about all packages in all categories
HostName:0> show installer packages available-for-download Shows only packages with status "Available for Download" and "Partially Downloaded" HostName:0> show installer packages downloaded Shows only packages with status "Downloaded" HostName:0> show installer packages imported Shows only packages that were imported HostName:0> show installer packages installed Shows only packages that were installed HostName:0> show installer packages recommended Shows only recommended packages
HostName:0> show installer policy {all} Shows CPUSE policy (how often to check for updates, which self tests to perform, etc.)
HostName:0> show installer policy check-for-updates-period Shows how often CPUSE Agent checks for packages updates HostName:0> show installer policy downloads Shows download policy for "Hotfixes" (automatic / manual / scheduled) HostName:0> show installer policy periodically-self-update Shows if CPUSE Agent will periodically check for newer CPUSE builds HostName:0> show installer policy self-test {all | auto-rollback | install-policy | network-link-up | start-processes} Shows which sanity tests CPUSE Agent performs after installing a CPUSE package HostName:0> show installer policy send-cpuse-data Shows if CPUSE Agent sends statistics to Check Point about about download and installation of packages
HostName:0> show installer status {all} Shows CPUSE Agent status (enabled or not, build, license, connected or not, etc.)
HostName:0> show installer status agent Shows if CPUSE Agent is enabled or not HostName:0> show installer status build Shows CPUSE Agent build HostName:0> show installer status connection Shows if CPUSE Agent is connected or not HostName:0> show installer status license Shows if license for CPUSE Agent is valid or not HostName:0> show installer status update-from-cloud Shows when CPUSE Agent perform last check for new relevant CPUSE packages
HostName:0> set installermail-notifications - Set mail notifications policy
policy - Set policies
HostName:0>
where the full syntax is:
HostName:0> set installer mail-notifications {<e-mail> | <user_number>} {download-status | install-status | new-available-packages} {on | off} Defines for which categories CPUSE Agent sends mail notifications to specific user
Specific commands:
HostName:0> set installer mail-notifications <e-mail> download-status {on | off} or HostName:0> set installer mail-notifications[press Space key][press Tab key] HostName:0> set installer mail-notifications <user_number> download-status {on | off} Configures CPUSE Agent whether to send mail notifications to specific user when packages are available for download
HostName:0> set installer mail-notifications <e-mail> install-status {on | off} or HostName:0> set installer mail-notifications[press Space key][press Tab key] HostName:0> set installer mail-notifications <user_number> install-status {on | off} Configures CPUSE Agent whether to send mail notifications to specific user when a package was installed
HostName:0> set installer mail-notifications <e-mail> new-available-packages {on | off} or HostName:0> set installer mail-notifications[press Space key][press Tab key] HostName:0> set installer mail-notifications <user_number> new-available-packages {on | off} Configures CPUSE Agent whether to send mail notifications to specific user when new packages are available
Notes:
This setting configures Gaia OS to sent e-mail notifications about Software Updates for following categories:
Download Status
Install Status
New Available Packages
If mail server is not configured yet, then configure the mail server and the root user for that mail server: HostName:0> set mail-notification server <SERVER_HOST_or_IP_ADDRESS> HostName:0> set mail-notification username <ROOT_USER@MAIL_DOMAIN> HostName:0> save config
Currently, it is not possible to view the e-mail notifications settings in Clish (only to configure). To verify the e-mail notifications settings in Expert mode:
Connect to command line on Gaia machine.
Log in to Expert mode.
Check the relevant lines in Gaia configuration database - search for Mail Domain: [Expert@HostName:0]# grep "Configured_Mail_Domain" /config/db/initial Example for "mail.company.com":
If the category was enabled, then the corresponding attribute will appear with value true.
If the category was never enabled, then the corresponding attribute will not appear at all.
If the category was never disabled, then the corresponding attribute will appear with value false.
Download Status
d_status
New Available Packages
available
HostName:0> set installer policy check-for-updates-period <Time_in_Hours> Sets the period, in hours, between checks for available packages in the cloud.
Note: When updating CPUSE Agent from build 839, it is necessary to restart all Clish daemons for this Clish command to become available (does not apply if updating from older CPUSE builds) - refer to section "(3) Download the latest build of CPUSE Agent and What's New" - Step "(3-C) How to manually install the CPUSE Agent package" - Step 5.
Default value = 3 hours
Valid values = 0 - 240 hours (set 0 to disable these checks)
Note: The configured period is saved in Gaia Database in seconds. Example for value of 2 hours:
HostName:0> set installer policy downloads {automatic | manual | scheduled {daily <Time> | monthly <Day> at <Time> | once <date> at <Time> | weekly <Day_of_the_Week> at <Time>} Defines how CPUSE Agent should download "Hotfixes" packages
Specific commands:
HostName:0> set installer policy downloads automatic Configures CPUSE Agent to download packages when they become available
HostName:0> set installer policy downloads manual Configures CPUSE Agent to download packages only manually
HostName:0> set installer policy downloads scheduled daily <Time> HostName:0> set installer policy downloads scheduled monthly <Day> at <Time> HostName:0> set installer policy downloads scheduled once <date> at <Time> HostName:0> set installer policy downloads scheduled weekly <Day_of_the_Week> at <Time> Configures CPUSE Agent to download packages based on a schedule
These settings control how to download CPUSE packages of "Hotfixes" (does not apply to "Minor Versions (HFAs)" / "Major Versions" packages):
automatic
If enabled, CPUSE Agent downloads packages when they become available:
immediately after the Gaia OS boots up
each time "Status and Actions" page is accessed in Gaia Portal
every time period defined with "set installer policy check-for-updates-period <Time_in_Hours>" command
manual
If enabled, CPUSE Agent downloads packages only manually
scheduled
If enabled, CPUSE Agent downloads packages only at a scheduled time
HostName:0> set installer policy periodically-self-update {on | off} Defines if CPUSE Agent should periodically check for and installer newer CPUSE builds
Notes:
If this setting is enabled (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").
If this setting is disabled, then:
If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
The following setting is added to the Gaia Database: installer:self_update_policy_no_permission 1 (this attribute is removed when this box is checked).
HostName:0> set installer policy self-test {auto-rollback | install-policy | network-link-up | start-processes} {on | off} Defines which sanity tests CPUSE Agent performs after installing a CPUSE package
Specific commands:
HostName:0> set installer policy self-test auto-rollback {on | off} HostName:0> set installer policy self-test install-policy {on | off} HostName:0> set installer policy self-test network-link-up {on | off} HostName:0> set installer policy self-test start-processes {on | off}
These settings are used for sanity checks after installing a CPUSE package:
auto-rollback
If enabled, CPUSE runs a fall-back procedure if the installed package fails one of the sanity tests (automatically restores the version that was active before the package was installed and sends a notification that the installation failed)
install-policy
If enabled, CPUSE makes sure that it is possible to install a policy
network-link-up
If enabled, CPUSE makes sure that all the configured network interfaces on the Gaia machine are up
start-processes
If enabled, CPUSE makes sure that Check Point processes are running
HostName:0> set installer policy send-cpuse-data {on | off}
Note: If setting is enabled (default), then Gaia OS sends the following statistics to Check Point about each deployment phase:
enabled features (based on license "CK")
name of the software update
whether the download succeeded
whether the installation/rollback succeeded
whether the uninstall succeeded
build of installed CPUSE Agent
list of installed hotfixes
if an operation on a package failed (e.g., download / installation), then relevant logs and Check Point Registry
This information is collected to monitor and improve the Software Updates on the Check Point Download Center.
HostName:0> installeragent - Perform Deployment agent actions
check-for-updates - Check for new available packages in Check Point cloud
clean-install - Clean install a new major version
delete - Delete package
download - Download package
download-and-install - Download and install package
import - Import package
install - Install package
reinstall - Renstall package
uninstall - Uninstall package
upgrade - Upgrade to a new major version
verify - Verify if package is compatible with this machine
HostName:0>
where the syntax is:
HostName:0> installer agent disable
Disables CPUSE Agent Notes:
This command disables all CPUSE Agent actions
This command survives reboot
This command is used with the "installer agent enable" command Important: Must wait at least 10 seconds after running the "installer agent disable" command and before running the "installer agent enable" command; and vice versa
HostName:0> installer agent enable
Enables CPUSE Agent (if it was disabled with "installer agent disable") Notes:
This command enables all CPUSE Agent actions
This command survives reboot
This command is used with the "installer agent disable" command Important: Must wait at least 10 seconds after running the "installer agent disable" command and before running the "installer agent enable" command; and vice versa
HostName:0> installer agent start
Starts CPUSE Agent (if it was stopped with "installer agent stop") Notes:
This command starts all CPUSE Agent actions
This command survives reboot
This command is used with the "installer agent stop" command Important: Must wait at least 10 seconds after running the "installer agent stop" command and before running the "installer agent start" command; and vice versa
When running this command, the error "NMINST9999 Timeout waiting for response from database server" might appear, although the command worked; if you run this command again, the message "Deployment agent is already running" will appear
HostName:0> installer agent stop
Stops CPUSE Agent Notes:
This command stops all CPUSE Agent actions
This command does not survive reboot
This command is used with the "installer agent start" command Important: Must wait at least 10 seconds after running the "installer agent stop" command and before running the "installer agent start" command; and vice versa
HostName:0> installer agent update [not-interactive] Forces CPUSE Agent to check for and install a newer CPUSE build
HostName:0> installer check-for-updates [not-interactive] Forces CPUSE Agent to check for new available packages in Check Point cloud
HostName:0> installer download {<Package_Number> | <Package_Name>} [pause | resume | not-interactive] Starts the download of the specified CPUSE package
HostName:0> installer download {<Package_Number> | <Package_Name>} not-interactive Starts the download of the specified CPUSE package without waiting for result
HostName:0> installer download {<Package_Number> | <Package_Name>} pause Pauses the download of the specified CPUSE package
HostName:0> installer download {<Package_Number> | <Package_Name>} resume Resumes the download of the specified CPUSE package
HostName:0> installer download-and-install {<Package_Number> | <Package_Name>} [not-interactive] Downloads and installs the specified CPUSE package in "Hotfixes" category in one step
HostName:0> installer import cloud <CPUSE_Identifier> [not-interactive] Imports the specified CPUSE package from Check Point cloud
HostName:0> installer import ftp <IPv4_Address> path <Path> username <Username> [password <Password>] [not-interactive] Imports the specified CPUSE package from an FTP server
HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR> [not-interactive] Imports the specified CPUSE package from a local directory
HostName:0> installer upgrade {<Package_Number> | <Package_Name>} [not-interactive] Starts the upgrade to Major Version using the specified CPUSE package
HostName:0> installer verify {<Package_Number> | <Package_Name>} [not-interactive]} Verifies if the specified CPUSE package can be installed without conflicts
The progress (in per cent) of the download / install / uninstall actions is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
This section (yellow rectangular at the top) shows important static messages - e.g., about CPUSE license, whether a reboot / restart of Check Point services is required.
Important notifications appear for several seconds in status bar at the bottom of Gaia Portal in yellow pop-up (these are important messages and are saved in the CPUSE Agent log files /opt/CPInstLog/DeploymentAgent.log.*).
Example:
To see these important messages, click on the "up arrows" icon on the right side of the status bar pane:
A pop-up window appears:
This window displays the log only for the last 10 minutes.
Events in this window are displayed in the ascending order (the latest event is at the top)
Events in the pop-up are marked by different icons:
Note: To see complete technical details about the operations performed by CPUSE (Gaia Software Updates) Agent, refer to /opt/CPInstLog/DeploymentAgent.log.* files.
The general messages from CPUSE Agent are displayed in the Event Log.
In "Gaia Portal" - go to "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - click on "Status and Actions" page - scroll to the bottom - click on "Event Log" button:
Notes:
This window displays the general messages only for the last 10 minutes.
Events in this window are displayed in the ascending order (the latest event is at the top).
To see the full log file, click on the Save full event log button in the upper right corner. Web browser will save the /opt/CPInstLog/DA_UI.log file to your computer (events in this file appear in the descending order - the latest event is at the bottom).
Events in the pop-up are marked by different icons:
Check Point's software updates and Jumbo Hotfix Accumulators, for security fixes and feature improvement. Released after fixes for issue(s) were developed and tested.
Minor Versions (HFAs)
Maintenance releases on top of major releases. Include the latest fixes released to customers.
Major Versions
Introduce new functionalities and cutting edge innovative technologies to the market while maintaining high product quality.
All packages are displayed in a hierarchy - parent package and its child packages are nested.
Notes (see example screenshots below):
Each category can be collapsed or expanded by clicking on the category title. When clicking on the category title, the explanation about the category is displayed in the right section.
The number of packages in each category appears to the right of the category title (in the end of the line). The displayed number of packages depends on the current filter (see the next bullet).
If there are no available / installed packages in the category, then no number will be displayed.
If all the recommended packages in the category were already installed, then it will show "Aligned with the latest version".
The recommended software updates are marked by a yellow star on the package icon (Note: this yellow star appears only if the Gaia machine is connected to the Internet (this information is obtained from Check Point Cloud).
Software packages that were installed as part of another package (an accumulative hotfix that includes several hotfixes inside, or an HFA that includes several package) will be displayed with status "Installed As Part Of Another Package" and will be grayed out.
Click on a package to see additional information about the package. This information is displayed in the right section. The following items are displayed about the package:
A package that was already downloaded / installed, can be exported from this Gaia machine for backup purposes, or to be transferred to another Gaia machine (for example, if another Gaia machine is disconnected from the Internet):
Note: Currently, this operation is available only in Gaia Portal.
Export the package in one of these two ways:
Way 1
Way 2
Select the package
Click on More button on the toolbar
Click on Export Package
Right-click on the package
Click on Export Package
The package will be saved on your computer as a special TAR archive file that contains the necessary files.
Note: Either get the offline CPUSE package from Check Point Support, or export the CPUSE package from a source Gaia machine, on which this package was already downloaded / installed (see the instructions how to export a CPUSE package in Gaia Portal). Do not change the package name.
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal on the target Gaia OS.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and higher) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.
In Gaia R77.20 and higher:
In Gaia R77.10 and lower:
In the upper right corner, click on the Import Package button:
In the Import Package window, click on Browse... - select the CPUSE offline package (TGZ file) / exported package (TAR file) - click on Import.
Note: If the following error is displayed, then wrong package was uploaded (contact Check Point Support for assistance):
Import Failed Cannot import package <Name_of_File>. It is not a valid CPUSE package. Refer to the package's official documentation to get a list of compatible machines. For more information, contact Check Point Technical Services.
Example:
Popup at the bottom:
Event Log entry:
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Transfer the CPUSE offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_package/).
Connect to command line on the target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Import the package from the hard disk:
Note: When import completes, this package is deleted from the original location.
HostName:0> installer import local <Full_Path>/<Package_File_Name>.<TGZ_or_TAR>
Example: HostName:0> installer import local /var/log/path_to_pkg/Check_Point_Hotfix_R77.tgz
Verify the package to check whether this package can be installed without conflicts:
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and higher) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.
In Gaia R77.20 and higher:
In Gaia R77.10 and lower:
Initiate the Verifier:
Either select the package - click on the More button on the toolbar - click on Verifier:
Or right-click on the package - click on Verifier:
Result of this test will be displayed in a pop-up.
Installation is allowed
Upgrade is allowed
Examples:
For Hotfix package
For Minor / Major Version
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on the target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database:
Specific commands: HostName:0> show installer packages available-for-download HostName:0> show installer packages downloaded HostName:0> show installer packages imported HostName:0> show installer packages recommended
Verify the package - check whether this package can be installed without conflicts:
Note: This requires connection to the Internet and to Check Point Cloud (refer to section "System requirements and limitations" - requirement "CPUSE communication with Check Point cloud" above, and to sk83520).
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and higher) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:
Notes:
Currently, only the following keys are supported in this field: Left/Right arrow, Delete, Backspace.
Downloading the hotfix by its URL is not supported.
Packages that are not suitable for this machine, will not be available.
Example:
Copy the hotfix name from Download Page on Check Point site:
Paste the hotfix name in the pop-up search window:
Click on the magnifying glass icon to start the search:
When the package is found, it will be displayed as a link along with its title and release date.
Example:
Click on the package to add it to the list of available packages.
Example:
The package will be added with status Available for Download and the filter will automatically change to show all packages.
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
Note: Packages that are not suitable for this machine, will not be available.
If you know that the CPUSE package for required hotfix is available on Check Point Download Center, then copy-and-paste the exact name of the regular package for required hotfix as appears in the "File Name" field on the hotfix Download Page:
This setting is used for sanity check after installing a CPUSE package. If this box is checked, then CPUSE runs a fall-back procedure if the installed CPUSE package fails one of the sanity tests enabled in the Self Tests to perform sub-section - CPUSE would automatically restore the version that was active before the CPUSE package was installed and send a notification that the installation failed.
Periodically update new Deployment Agent version (recommended)
If this box is checked (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").
If this box is cleared, then:
Important Messages (yellow section at the top) will show "click here" to download the new version.
If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
The following setting is added to the Gaia Database: installer:self_update_policy_no_permission 1 (this attribute is removed when this box is checked).
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Set the desired CPUSE (Gaia Software Updates) Agent Policy:
HostName:0> set installer policy check-for-updates-period <Time_in_Hours>
Sets the period, in hours, between checks for available packages in the cloud.
Note: When updating CPUSE Agent from build 839, it is necessary to restart all Clish daemons for this Clish command to become available (does not apply if updating from older CPUSE builds) - refer to section "(3) Download the latest build of CPUSE Agent and What's New" - Step "(3-C) How to manually install the CPUSE Agent package" - Step 5.
Default value = 3 hours
Valid values = 0 - 240 hours (set 0 to disable these checks)
Note: The configured period is saved in Gaia Database in seconds. Example for value of 2 hours:
HostName:0> set installer policy downloads {automatic | manual | scheduled {daily <Time> | monthly <Day> at <Time> | once <date> at <Time> | weekly <Day_of_the_Week> at <Time>}
Specific commands: HostName:0> set installer policy downloads automatic HostName:0> set installer policy downloads manual HostName:0> set installer policy downloads scheduled daily <Time> HostName:0> set installer policy downloads scheduled monthly <Day> at <Time> HostName:0> set installer policy downloads scheduled once <date> at <Time> HostName:0> set installer policy downloads scheduled weekly <Day_of_the_Week> at <Time>
These settings control how to download CPUSE packages (applies only to "Hotfixes" packages and to "Minor Versions (HFAs)" packages - and does not apply to "Major Versions" packages):
automatic
If enabled, CPUSE Agent downloads packages when they become available:
immediately after the Gaia OS boots up
each time "Status and Actions" page is accessed in Gaia Portal
every time period defined with "set installer policy check-for-updates-period <Time_in_Hours>" command
manual
If enabled, CPUSE Agent downloads packages only manually
scheduled
If enabled, CPUSE Agent downloads packages only at a scheduled time
HostName:0> set installer policy periodically-self-update {on | off}
Notes:
If this setting is enabled (default), then, if an updated version of CPUSE (Gaia Software Updates) Agent is available for download, Gaia OS downloads it from Check Point Cloud and installs it automatically (CPUSE Agent "self-update").
If this setting is disabled, then:
If administrator attempts to install any other software update, a warning will appear saying that CPUSE (Gaia Software Updates) Agent must be updated first.
The following setting is added to the Gaia Database: installer:self_update_policy_no_permission 1 (this attribute is removed when this box is checked).
HostName:0> set installer policy self-test auto-rollback {on | off} HostName:0> set installer policy self-test install-policy {on | off} HostName:0> set installer policy self-test network-link-up {on | off} HostName:0> set installer policy self-test start-processes {on | off}
These settings are used for sanity checks after installing a CPUSE package:
auto-rollback
If enabled, CPUSE runs a fall-back procedure if the installed package fails one of the sanity tests (automatically restores the version that was active before the package was installed and sends a notification that the installation failed)
install-policy
If enabled, CPUSE makes sure that it is possible to install a policy
network-link-up
If enabled, CPUSE makes sure that all the configured network interfaces on the Gaia machine are up
start-processes
If enabled, CPUSE makes sure that Check Point processes are running
HostName:0> set installer policy send-cpuse-data {on | off}
Note: If setting is enabled (default), then Gaia OS sends the following statistics to Check Point about each deployment phase:
enabled features (based on license "CK")
name of the software update
whether the download succeeded
whether the installation/rollback succeeded
whether the uninstall succeeded
build of installed CPUSE Agent
list of installed hotfixes
if an operation on a package failed (e.g., download / installation), then relevant logs and Check Point Registry
This information is collected to monitor and improve the Software Updates on the Check Point Download Center.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to:
In Gaia R77.20 and higher:
In Gaia R77.10 and lower:
Upgrades (CPUSE) section
Click on Software Updates Policy page
Software Updates section
Click on Software Updates Notifications page
Configure the desired Mail Notifications:
Note: After any change in settings, you need to click on "Apply" button.
This setting configures Gaia OS to sent e-mail notifications about Software Updates for following categories:
Download Status
Install Status
New Available Packages
If mail server is not configured yet, then:
Click on the relevant link: In order to configure a mail server, use the Mail Notification page, found in the advanced view mode.
System Management section - Mail Notification page will open. Configure the mail server and the root user for this mail server. Click on "Apply" button. Example:
Navigate back to:
in Gaia R77.20 and higher: Upgrades (CPUSE) section - Software Updates Policy page - Mail Notifications sub-section
in Gaia R77.10 and lower: Software Updates section - Software Updates Notifications page
Click on Add button to add a user, to whom e-mail notifications should be sent.
Add the user's e-mail address and select for which categories to send the e-mail notifications - click on "OK" button. Example:
By selecting the user's e-mail address in the list, you can see and change on-the-fly the categories, for which the e-mail notifications are sent to this user.
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Set the desired CPUSE (Gaia Software Updates) Agent Mail Notifications:
Specific commands: HostName:0> set installer mail-notifications <Package_Number> download-status {on | off} HostName:0> set installer mail-notifications <Package_Number> install-status {on | off} HostName:0> set installer mail-notifications <Package_Number> new-available-packages {on | off} or HostName:0> set installer mail-notifications <e-mail> download-status {on | off} HostName:0> set installer mail-notifications <e-mail> install-status {on | off} HostName:0> set installer mail-notifications <e-mail> new-available-packages {on | off}
Notes:
This setting configures Gaia OS to sent e-mail notifications about Software Updates for following categories:
Download Status
Install Status
New Available Packages
If mail server is not configured yet, then configure the mail server and the root user for that mail server: HostName:0> set mail-notification server <SERVER_HOST_or_IP_ADDRESS> HostName:0> set mail-notification username <ROOT_USER@MAIL_DOMAIN> HostName:0> save config
Currently, it is not possible to view the e-mail notifications settings in Clish (only to configure). To verify the e-mail notifications settings in Expert mode:
Connect to command line on Gaia machine.
Log in to Expert mode.
Check the relevant lines in Gaia configuration database - search for Mail Domain: [Expert@HostName:0]# grep "Configured_Mail_Domain" /config/db/initial Example for "mail.company.com":
Note: SmartConsole package will be available only on machine that is configured as Security Management Server / Multi-Domain Security Management Server, or as a StandAlone (Security Management Server and Security Gateway).
In Gaia Portal
In Gaia Clish
Connect to Gaia Portal.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and higher) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.
In Gaia R77.20 and higher:
In Gaia R77.10 and lower:
Click on the filter button near the help icon (that currently says "Showing Recommended packages") and click on "All" (the filter should change to "Showing All packages"):
SmartConsole package appears in category "Minor Versions (HFAs)".
Select the SmartConsole package.
Download the SmartConsole package:
Either select the package - click on Download button on the toolbar.
Example:
Or right-click on the package and click on Download:
Install the SmartConsole package:
Either select the package - click on Install Update button on the toolbar.
Example:
Or right-click on the package - click on Install Update:
The SmartConsole package will be unpacked.
Gaia Portal will offer to download the SmartConsole.exe file.
Example:
The SmartConsole package can now be downloaded from Gaia Portal in the following places:
Go to Overview section - click on Download Now button:
Go to Maintenance section - click on Download Smart Console page:
Note: For details about Clish commands, refer to section "(4-D) How to work with CPUSE - "How to ..." (Gaia Clish commands, Gaia Portal actions, configuration, etc.)".
Connect to command line on Gaia machine.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Check the available packages:
HostName:0> show installer packages available-for-download
Note: SmartConsole package appears in category "HFAs".
Example:
HostName:0> show installer packages available-for-download
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
... ... ...
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Display name Status
R77 Hotfix for sk95056 (UDP Drops) Available for Download
R77 SmartConsole for Windows Available for Download
R77.20 Gaia Software Updates Package for R77 Available for Download
R77.30 Gaia Software Updates Package for R77 Available for Download
** ************************************************************************* **
** Majors **
** ************************************************************************* **
... ... ...
HostName:0>
HostName:0> show installer package[press Space key][press Tab key] HostName:0> show installer package <Package_Number>
Example:
HostName:0> show installer package 16
Display name: R77 SmartConsole for Windows
Description: Check Point R77 SmartConsole for Windows:
1. Download SmartConsole package on the Gaia server.
2. Install the package - It will be automatically downloaded
to your client machine, and will also be available in Overview Download Now.
Size: 292.51 MB
Type: HFA
Status: Available for Download
Requires reboot: No
Recommended: No
Contains: None
Contained-in: None
Downloaded on: N/A
Imported on: N/A
Installed on: N/A
Installation log: N/A
HostName:0>
Download the SmartConsole package:
Note: The download progress (in per cent) is displayed in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page, and in the output of Clish command "show installer package <Package_Number>".
HostName:0> show installer package 16
Display name: R77 SmartConsole for Windows
Description: Check Point R77 SmartConsole for Windows:
1. Download SmartConsole package on the Gaia server.
2. Install the package - It will be automatically downloaded
to your client machine, and will also be available in Overview Download Now.
Size: 292.51 MB
Type: HFA
Status: Downloading (18%)
Requires reboot: No
Recommended: No
Contains: None
Contained-in: None
Downloaded on: N/A
Imported on: N/A
Installed on: N/A
Installation log: N/A
HostName:0>
Install the SmartConsole package:
Note: The installation progress (in per cent) is displayed in the output of Clish command "show installer package <Package_Number>", and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.
HostName:0> show installer package 16
Display name: R77 SmartConsole for Windows
Description: Check Point R77 SmartConsole for Windows:
1. Download SmartConsole package on the Gaia server.
2. Install the package - It will be automatically downloaded
to your client machine, and will also be available in Overview Download Now.
Size: 292.51 MB
Type: HFA
Status: Installing (30%)
Requires reboot: No
Recommended: No
Contains: None
Contained-in: None
Downloaded on: Tue Mar 15 15:15:22 2016
Imported on: N/A
Installed on: Tue Mar 15 15:27:53 2016
Installation log: /opt/CPInstLog//install_CPUpdates_R77_SC.log
HostName:0>
The SmartConsole package will be unpacked.
If Gaia Portal is currently opened, then it will offer to download the SmartConsole.exe file.
Example:
The SmartConsole package can now be downloaded from Gaia Portal in the following places:
Go to Overview section - click on Download Now button:
Go to Maintenance section - click on Download Smart Console page:
The CPUSE Agent (Gaia Software Updates Agent) is installed on every Gaia-based device and it is responsible for all software deployment process on that device.
Table of Contents for this section:
Relevant Software Updates
CPUSE Agent daemon
Software update installation process
CPUSE verification checks
Suppress Reboot behavior
(5-A) Architecture and Design - Relevant Software Updates
All relevant software updates are uploaded to Check Point Download Center. CPUSE Agent displays software updates that are relevant only to this specific machine.
Note: For each official release and recommended hotfix, CPUSE Offline package can be downloaded from the relevant solution article.
Software Updates
Description
Where / how new software updates are shown
In Gaia Portal
If new software updates are available, they are shown in Upgrades (CPUSE) section (in Gaia OS R77.20 and higher) / to Software Updates section (in Gaia OS R75.40 - R77.10) - Status and Actions page with status Available for Download.
In Gaia Clish
If new software updates are available, they are shown in the output of show installer packages available-for-download command.
How new software updates are installed
Packages are installed based on the CPUSE (Gaia Software Updates) Agent Policy - either manually, on schedule, or automatically.
In Gaia Portal, refer to:
In Gaia OS R77.20 and higher:
In Gaia OS R77.10 and lower:
Upgrades (CPUSE) section
Software Updates Policy page
Download Hotfixes sub-section
Software Updates section
Policy page
Download Hotfixes sub-section
In Gaia Clish, refer to:
Output of the show installer policy downloads command.
Where are downloaded software updates located
All downloaded software updates will be located in $DADIR/repository/tmp/ directory, which actually contains symbolic links to /var/log/CPda/repository/tmp/ directory, where the downloaded software updates are physically stored:
Example from CPUSE Agent build 747:
HostName:0> show installer available_packages
List of available packages for download:
[1]. BUNDLE_R75_46 - Check_Point_R75.45_R75.46.tgz (224.50 MB) - Check_Point_R75.45_R75.46.tgz
HostName:0>
[Expert@HostName:0]# ls -lR $DADIR/repository/
/opt/CPda/repository:
total 0
lrwxrwxrwx 1 admin root 28 Mar 3 14:16 tmp -> /var/log/CPda/repository/tmp
[Expert@HostName:0]#
[Expert@HostName:0]# ls -lL $DADIR/repository/tmp/
total 12
drwx------ 2 admin root 4096 Mar 13 12:52 CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46
drwx------ 2 admin root 4096 Mar 3 13:50 CheckPoint#DeploymentAgent#All#6.0#2#5#B339
drwx------ 2 admin root 4096 Mar 3 13:51 CheckPoint#fw1#All#6.0#2#5#HOTFIX_FOXX_HF_HA40_041
[Expert@HostName:0]#
[Expert@HostName:0]# ls -lR /var/log/CPda/repository/tmp/
/var/log/CPda/repository/:
total 8
drwx------ 2 admin root 4096 Mar 13 12:56 CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46
drwx------ 5 admin root 4096 Mar 3 14:18 tmp
/var/log/CPda/repository/CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46:
total 230120
-rw-rw---- 1 admin root 235401183 Mar 13 12:56 Check_Point_R75.45_R75.46.tgz
-rw-rw---- 1 admin root 250 Mar 13 12:56 description
/var/log/CPda/repository/tmp:
total 12
drwx------ 2 admin root 4096 Mar 13 12:56 CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46
drwx------ 2 admin root 4096 Mar 3 13:50 CheckPoint#DeploymentAgent#All#6.0#2#5#B339
drwx------ 2 admin root 4096 Mar 3 13:51 CheckPoint#fw1#All#6.0#2#5#HOTFIX_FOXX_HF_HA40_041
/var/log/CPda/repository/tmp/CheckPoint#CPUpdates#All#6.0#2#5#BUNDLE_R75_46:
total 0
/var/log/CPda/repository/tmp/CheckPoint#DeploymentAgent#All#6.0#2#5#B339:
total 0
/var/log/CPda/repository/tmp/CheckPoint#fw1#All#6.0#2#5#HOTFIX_FOXX_HF_HA40_041:
total 0
[Expert@HostName:0]#
(5-B) Architecture and Design - CPUSE Agent daemon
Architecture and Design
Description
Main directory
/opt/CPda/ (environment variable $DADIR)
Main daemon
$DADIR/bin/DAService
Log files
/opt/CPInstLog/DeploymentAgent.log
Notes:
Exists in all builds of CPUSE Agent.
Contains detailed technical log for administrators and for troubleshooting.
This log file is rotated when its size reaches 2 GB.
Up to 10 rotated files are kept (DeploymentAgent.log.1, DeploymentAgent.log.2, etc.).
/opt/CPInstLog/DA_UI.log
Notes:
Exists in CPUSE Agent builds 710 and higher.
Contains general messages for users.
This log file is not rotated.
The last 10 minutes of the this log file are displayed in the "Event Log": In "Gaia Portal" - go to "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - click on "Status and Actions" page - scroll to the bottom - click on "Event Log" button.
How to check the current build of the CPUSE Agent
In Gaia Portal
Navigate to Upgrades (CPUSE) section (in Gaia OS R77.20 and higher) / to Software Updates section (in Gaia OS R77.10 and lower) - click on Status and Actions page.
In Gaia OS R77.20 and higher:
In Gaia OS R77.10 and lower:
Click on the "Hotfixes" link near the version.
Example:
A pop-up "Hotfixes Information" appears. Version (build) of the installed Deployment Agent is displayed at the bottom.
Build Number = 974 Minor Release = knockout_ms1_ga
How to manually start the CPUSE Agent daemon
Enable monitoring of the CPUSE Agent daemon by Check Point WatchDog:
[Expert@HostName:0]# $DADIR/bin/dastart
Which will run the following command: $CPDIR/bin/cpwd_admin start -name DASERVICE -path "/opt/CPda/bin/DAService_script" -command "DAService_script"
Manually start the CPUSE Agent daemon:
Either in Gaia Clish:
HostName:0> installer agent start
Or in Expert mode:
[Expert@HostName:0]# DAClient start
How to manually stop the CPUSE Agent daemon
Disable monitoring of the CPUSE Agent daemon by Check Point WatchDog:
[Expert@HostName:0]# $DADIR/bin/dastop
Which will run this command: cpwd_admin stop -name DASERVICE
Manually stop the CPUSE Agent daemon:
Either in Gaia Clish:
HostName:0> installer agent stop
Or in Expert mode:
[Expert@HostName:0]# DAClient stop
(5-C) Architecture and Design - Software update installation process
When started, installation process is automatic and does not require any interaction from the user.
Which package is installed
Installation process
Hotfix, or Minor Version
Pre-install validation (installation type (GW/MGMT), package validation, disk space, CRs conflicts, version compatibility). For details about verification checks run by CPUSE, refer to sub-section (5-D) CPUSE verification checks.
Unpack the new CPUSE package.
Backup the current CPUSE package.
Stop Check Point services ('cpstop').
Prepare diff-files (what exactly should be replaced).
Replace target files. Rollback, if installation fails.
Register the installed package in Check Point Registry.
Reboot (automatically) / Start Check Point services ('cpstart').
Self-test.
Rollback (uninstall), if self-test failed (only if this option is enabled in the CPUSE policy).
Major Version (Upgrade)
Pre-install validation (installation type (GW/MGMT), package validation, disk space, CRs conflicts, version compatibility, machine type (Check Point Appliance/Open Server), upgrade path). For details about CPUSE verification checks, refer to sub-section (5-D) CPUSE verification checks.
Create new disk partition.
Install new version files onto the new disk partition.
Configure new version, migrate the relevant configuration (Database on Management Server, SIC, Licenses, FireWall / VPN / SecureXL / CoreXL / Hardware configuration on Security Gateway).
Setup products on the new disk partition.
Reboot the machine from the new partition.
Import database (on Management Server), last products configurations, fetch policy (on Security Gateway).
Run post-install self-tests (as configured before the installation).
(5-D) Architecture and Design - CPUSE verification checks
Pre-Install verifications:
As part of the "Verify" actions, or at the start of every installation, CPUSE Agent runs several tests to make sure the package is compatible for the installation:
Available disk space
Content validation (conflicts with installed content)
Package is not corrupted
On Security Management Server / Multi-Domain Security Management Server, at the beginning of an upgrade, CPUSE Agent automatically runs the Pre-Upgrade Verifier - a validation tool, similar to the pre-upgrade verifier that runs as a part of the Management Server migration process.
In case of an error in one of the verification tests, the administrator is required to first follow the instructions and resolve the issue, and only then to start the upgrade again.
Post-Install self-tests:
CPUSE Agent has a self-test feature that runs after installation and checks whether the installation has succeeded - and its purpose is to validate that the Gaia OS machine is up and running.
Three checks can be configured to run:
Check Point daemons that were up and running prior to installation, are up and running post installation (enabled by default)
Local policy-fetch works (disabled by default)
Network links that were up prior to installation, are up post installation (disabled by default)
Administrator can enable the option to automatically roll back the installation in case of a self-test failure. This option is disabled by default. Therefore, by default, there is no roll back during a self-test failure.
The self-test configuration is controlled:
In Gaia Portal, navigate to Upgrades (CPUSE) section (in Gaia R77.20 and higher) / to Software Updates section (in Gaia R77.10 and lower) - click on Policy.
In Gaia Clish, refer to set installer policy ... commands
Please note the self-test failure condition is different from a regular installation failure - during a regular installation failure, there is an automatic roll back and the machine returns to a point before the installation started.
All CPUSE packages are signed by Check Point using an SHA-256 digital signature since April 2015. Until then, CPUSE packages were signed by MD5 and SHA-1 digital signature.
Note: If CPUSE is served from an on-premises Private ThreatCloud, then all CPUSE packages are signed at the source (i.e., by Check Point) using an ECDSA P-521/SHA-512 digital signature.
CPUSE Agent performs SHA-256 signature verification and MD5 integrity verification of the downloaded files. If the either verification fails, the download is considered as failed.
(5-E) Architecture and Design - Suppress Reboot behavior
At the beginning of every installation / uninstall of a Hotfix or Minor Version, CPUSE Agent asks the user whether to perform a reboot automatically when install / uninstall completes. The purpose of the suppress reboot functionality is to allow the administrator to perform post-install / post-uninstall actions (that also require reboot) and thus reduce the number of reboots.
If administrator chooses to suppress the automatic reboot, then the CPUSE Agent will not reboot the machine automatically. However, some of the Gaia OS functionality will be blocked:
After installation of a Hotfix:
No additional actions are allowed for the installed package (except exporting the package and deleting the package from disk)
All actions on other packages are allowed
After installation / uninstall of a Minor Version:
All actions on all packages are blocked (except exporting the package and deleting the package from disk)
"All actions are disabled until you perform a reboot" static message is displayed in Gaia Portal
"Operation canceled, All actions currently disabled - pending machine reboot" is returned when running any Clish command (except for "show" commands)
Important Note: During the installation / uninstall of a package, all Check Point services are stopped (cpstop). Therefore, it is strongly recommended to complete all the necessary maintenance operations and reboot the machine as soon as possible, to restore the normal operation of Check Point software. For more details, refer to sk113045.
(6) Limitations, Troubleshooting and Related solutions
Тo open debug, run the following (no need to restart Deployment Agent ):
da_cli edit_configuration operation=add_config PING_DEBUG=1 - to activate debug da_cli edit_configuration operation=add_config PING_DEBUG=0 - to deactivate debug (default)
2
By default, if the Deployment Agent identifies a newer version in Download Center and if the self-update option is off, the Deployment Agent blocks the operations until the latest version is installed. To bypass this, use:
da_cli edit_configuration operation=add_config ENFORCE_NEW_DA=1 - to enable (default) da_cli edit_configuration operation=add_config ENFORCE_NEW_DA=0 - to disable
3
Symptom: clish, DAClient and da_cli commands seem to have no effect.
Solution: if MDSPS is enabled on the Security Gateway, make sure that the shell runs on the management plane. When MDPS is enabled on theSecurity Gateway, CPUSE service runs in the management plane, any command line interaction with CPUSE should be executed in the same plane (clish, DAClient and da_cli).
For customers with R77.30 who installed only Legacy packages and want to install the CPUSE Jumbo for the first time: in this case, the Legacy package should be uninstalled prior to the CPUSE installation.
Important Note: This option was removed from Gaia Portal starting in CPUSE Agent Build 1127.
Note: This option is used only to upgrade to Major releases R75.40VS / R76 GA / R77.X (refer to the upgrade map) using the Legacy CLI upgrade package.
Download the Legacy CLI upgrade Gaia OS package of the supported Major release (R75.40VS / R76 / R77 / R77.10 / R77.20 / R77.30).
Connect to Gaia Portal.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):
Navigate to Upgrades (CPUSE) section (in Gaia R77.20 and higher) / to Software Updates section (in Gaia R77.10 and lower) - click on Status and Actions page.
In Gaia R77.20 and higher:
In Gaia R77.10 and lower:
Click on the "Legacy Upgrade" button, upload the upgrade package to Gaia OS, and click on "Upgrade" button:
HostName:0> show installer
mail-notifications - Show mail notifications for user
package - Show information about a specific package
packages - Show packages information
policy - Show policies configurations
status - Show status
HostName:0>
where full syntax is:
HostName:0> show installer mail-notifications {<Package_Number> | <email>}
HostName:0> show installer package <Package_Number>
HostName:0> installer
agent - Perform Deployment agent actions
check-for-updates - Check for new available packages in Check Point cloud
delete - Delete package
download - Download package
download-and-install - Download and install package
import - Import package
install - Install package
uninstall - Uninstall package
upgrade - Upgrade to a new major version
verify - Verify if package is compatible with this machine
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions is displayed in both Clish and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.
Refer to section "(4) How to work with CPUSE" - refer to instructions for Gaia Portal.
Available Clish commands
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Set the Gaia Software Updates Agent Policy:
HostName:0> set installer
deployment-mail-notification - Set the installer mail notifications
download_mode - Set the installer download mode to automatic, manual or schedule
install_mode - Set the installer install mode to automatic, manual or schedule
HostName:0>
Notes:
The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
Start/Stop the relevant action:
HostName:0> installer
download - Download a selected package
install - Install a selected package
restore_policy - Restore the default update policy
start - Start the installer service
stop - Stop the installer service
uninstall - Uninstall a selected package
upgrade - Upgrade a selected package
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions is displayed in both Clish and in "Gaia Portal" - "Upgrades (CPUSE)" section (in Gaia R77.20 and higher) / to "Software Updates" section (in Gaia R75.40 - R77.10) - "Status and Actions" page.
To see software updates in Clish:
HostName:0> show installer
available_local_packages - Show available packages for install
available_packages - Show available packages for download
installed_packages - Show the installed packages on this machine
package_status - Show the packages status
HostName:0>
Notes:
"show installer available_packages" command reads the information about the packages that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_packages
Num File Name Type
1 Check_Point_R77_10_R77_20_T124.tgz Wrapper
2 Check_Point_R75.46_Fresh_Install.tgz Major Version
3 Check_Point_R75_40VS_T157.tgz Major Version
4 Check_Point_R77.10_Install_and_Upgrade.tgz Major Version
5 Check_Point_R76_T265.tgz Major Version
HostName:0>
"show installer available_local_packages" command reads the information about the packages that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_local_packages
Num File Name Type
1 Check_Point_Hotfix_R77_10_sk102673.tgz Hotfix
HostName:0>
"show installer installed_packages" command reads the information about the packages that were installed from the $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer installed_packages
Num File Name Type
1 Check_Point_SmartConsole_R75.47.tgz Wrapper
2 Check_Point_Hotfix_R75.47_sk101186.tgz Hotfix
HostName:0>
"show installer package_status" command reads the information about the status of packages from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer package_status
Num File Name Status Progress
1 Check_Point_SmartConsole_R75.47.tgz Installed
2 Check_Point_R75.46_Fresh_Install.tg... Available for Download
3 Check_Point_R76_T265.tgz Available for Download
4 Check_Point_R77.20_T124_Install_and... Partially Downloaded (5%)
5 Check_Point_R77.10_Install_and_Upgr... Available for Download
6 Check_Point_Hotfix_R75_47_sk102673.... Available for Install
7 Check_Point_R77.tgz Available for Download
8 Check_Point_R75_40VS_T157.tgz Available for Download
9 Check_Point_Hotfix_R75.47_sk101186.... Installed
10 Check_Point_Hotfix_R75.47_sk100195.... Unknown
11 Check_Point_Hotfix_R75.47_sk100431.... Unknown
12 Check_Point_R75.47_OSPF_Hotfix_sk94... Available for Download
HostName:0>
Information about the packages that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
To download a software update in Clish:
Example:
HostName:0> installer download
Num File Name Type
1 Check_Point_R75.46_Fresh_Install.tgz Major Version
2 Check_Point_R76_T265.tgz Major Version
3 Check_Point_R77.20_T124_Install_and_Upgrade.tgz Major Version
4 Check_Point_R77.10_Install_and_Upgrade_R75.4X.tgz Major Version
5 Check_Point_R77.tgz Major Version
6 Check_Point_R75_40VS_T157.tgz Major Version
7 Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz Hotfix
HostName:0>
HostName:0> installer download 7
Initiating download of Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz...
HostName:0>
HostName:0> show installer package_status
.............
12 Check_Point_R75.47_OSPF_Hotfix_sk94... Downloading (6%)
.............
HostName:0>
To install a software update in Clish:
Important Note: Requirements for free disk space exist.
Example:
HostName:0> installer install
Num File Name Type
1 Check_Point_Hotfix_R75_47_sk102673.tgz Hotfix
2 Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz Hotfix
HostName:0>
HostName:0> installer install 2
Initiating install of package 1: Check_Point_R77_hotfix_sk95245.tgz
HostName:0>
HostName:0> show installer package_status
.............
Initiating install of Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz...
.............
HostName:0>
HostName:0> show installer package_status
.............
12 Check_Point_R75.47_OSPF_Hotfix_sk94... Installing (30%)
.............
HostName:0>
To upgrade a software update in Clish:
Important Note: Requirements for free disk space exist.
Example:
HostName:0> installer upgrade
Num File Name Type
1 Check_Point_R75.46_Fresh_Install.tgz Major Version
HostName:0>
HostName:0> installer upgrade 1
Initiating upgrade of package 1: Check_Point_R75.46_Fresh_Install.tgz
HostName:0>
On this tab, user will see the available / manually uploaded hotfix packages.
When a software update is "Available for Download", click on "Download" button.
When a software update is "Available for Install", user can verify whether there are any warnings about this update and whether this update can be installed without conflicts. Click on "Actions" button and then click on "Verifier" button (formerly known as "Check Install") - a pop-up will appear with "Verifier results". If there are no warnings/conflicts, then click on "Install Update" button.
After a software update is installed, user can see the installation log by clicking on the 'scroll' icon in the "Logs" column. A new window will open. Information can be selected and copied from this window.
If a software update was installed and has to be uninstalled, click on "Uninstall" button.
A software update that was already downloaded / installed, can be exported from this Gaia machine for backup purposes, or to transfer it to another Gaia machine (for example, if another Gaia machine is disconnected from the Internet):
Select the update.
Click on "Actions" button - click on "Export" button.
The update will be saved as TAR file on your computer.
A software update can be manually imported to this Gaia machine (for example, if this machine is disconnected from the Internet).
Important Note: Requirements for free disk space exist.
This feature (importing a package) supports only the following types of packages:
Packages that were specifically created to be installed using Gaia Software Updates.
Obtain the lock over the configuration database (click on the lock icon at the top - near "Sign Out").
Navigate to "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" pane.
Click on "Actions" button - click on "Import" button.
Browse for the TGZ file that was provided by Check Point Support - click on "Upload".
Install the uploaded package either in Gaia Portal, or in Clish - see the relevant instructions above.
Packages that were exported from another Gaia machine using Gaia Software Updates.
Export the relevant update package (that was already downloaded / installed) from a source Gaia machine (that is connected to the Internet) to your computer.
If needed, transfer this file to an external storage device.
Open the Gaia Portal of the target Gaia machine (on which this update package should be imported).
Go to "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates"section - "Status and Actions" page.
Click on "Actions" button - click on "Import" button.
Browse for the TAR file that was exported from a source Gaia machine - click on "Upload".
Note: If the following error is displayed, then incorrect package was uploaded (contact Check Point Support for assistance):
Cannot import package. It is not a valid exported "Gaia Software Updates" package.
Customized packages / images that were created by Check Point for specific customer are added in the following way:
Click on "Actions" button - click on "Add Private Hotfix" button.
In the "Add Private Package" window, paste the special link to the customized package / image (sent to you by Check Point) - click on "Add" button.
Monitor the progress in the "Important Messages" section at the bottom (scroll down).
The customized package / image will appear in the list of available packages with status "Available for Download".
Proceed as with regular hotfix package / image.
User can monitor the general progress in the "Important Messages" section at the bottom (scroll down). For complete log, click on "History" button. Information can be selected and copied from these windows.
Note:
In the "Important Messages" section, the messages appear from bottom-to-top (most recent log is at the top).
In the "Important Messages Log" ('History') window, the messages appear from top-to-bottom (most recent log is at the bottom).
Full Images
On this tab, user will see the available / manually uploaded upgrade packages and fresh install images.
When an image is "Available for Download", click on "Download" button.
When an image is "Available for Install", user can verify whether there are any warnings about this image and whether this image can be installed without conflicts. Click on "Actions" button and then click on "Verifier" button (formerly known as "Check Install") - a pop-up will appear with "Verifier results". If there are no warnings/conflicts, then click on "Install Update" button.
If an image is already installed, you can click on "Reinstall" button.
If an upgrade image was installed and has to be uninstalled, click on "Uninstall" button. Important Note: There is no uninstall option for fresh install images.
An image that was already downloaded / installed, can be exported from this Gaia machine for backup purposes, or to transfer it to another Gaia machine (for example, if that machine is disconnected from the Internet):
Select the update.
Click on "Actions" button - click on "Export" button.
The update will be saved as TAR file on your computer.
You can store this TAR file for backup purposes, or transfer it to another Gaia machine.
An image can be manually imported to this Gaia machine (for example, if this machine is disconnected from the Internet).
Important Note: Requirements for free disk space exist.
This feature (importing an image) supports only images that were exported from another Gaia machine using Gaia Software Updates:
Export the relevant image from a source Gaia machine to your computer.
If needed, transfer this file to an external storage device.
Open the Gaia Portal of the target Gaia machine (on which this image should be imported).
Go to "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" page.
Click on "Actions" button - click on "Import" button.
Browse for the TAR file that was exported from a source Gaia machine - click on "Upload". Note: Gaia Portal will only accept a TAR file that was exported from another Gaia machine (it contains the image TGZ file and special metadata TGZ file). Otherwise, the following error will be displayed: Cannot import package. It is not a valid exported "Gaia Software Updates" package.
User can monitor the general progress in the "Important Messages" section at the bottom (scroll down).
For complete log, click on "History" button. Information can be selected and copied from these windows. Note:
In the "Important Messages" section, the messages appear from bottom-to-top (most recent log is at the top).
In the "Important Messages Log" ('History') window, the messages appear from top-to-bottom (most recent log is at the bottom).
Available Clish commands
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Set the Gaia Software Updates Agent Policy:
HostName:0> set installer
deployment-mail-notification - Set the installer mail notifications
download_mode - Set the installer download mode to automatic, manual or schedule
install_mode - Set the installer install mode to automatic, manual or schedule
HostName:0>
Notes:
The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
For more information about "deployment-mail-notification", refer to "Configuring e-mail notifications in Clish" section.
Start/Stop the relevant action:
HostName:0> installer
download - Download a selected package
install - Install a selected package
restore_policy - Restore the default update policy
start - Start the installer service
stop - Stop the installer service
uninstall - Uninstall a selected package
upgrade - Upgrade a selected package
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions is displayed in both Clish and in "Gaia Portal" - "Upgrades (CPUSE)" / "Software Updates" section - "Status and Actions" page.
To see software updates in Clish:
HostName:0> show installer
available_local_packages - Show available packages for install
available_packages - Show available packages for download
installed_packages - Show the installed packages on this machine
package_status - Show the packages status
HostName:0>
Notes:
"show installer available_packages" command reads the information about the packages that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).
Example: HostName:0> show installer available_packages List of available packages for download: [1]. R75.46 - Check_Point_R75.46_Fresh_Install.tgz (1.48 GB) - <b>R75.46 is a maintenance release for R75.40 and R75.45 with important Check Point product updates.<br>For more about this release, see the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90960" target="_blank">R75.46 home page</a>.</b> [2]. R77_SC - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB) - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz HostName:0>
"show installer available_local_packages" command reads the information about the packages that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).
Example: HostName:0> show installer available_local_packages List of available packages for install: [1]. HOTFIX_GULLI_UDP_FIX - Check_Point_R77_UDP_Hotfix_sk95056.tgz (206.90 KB) - Check_Point_R77_UDP_Hotfix_sk95056.tgz [2]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77. For more about this release - <a& href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b> [3]. HOTFIX_GULLI_HF1 - Check_Point_R77_hotfix_sk95245.tgz (2.99 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding. [4]. BUNDLE_DUMMY - Check_Point_Hotfix_Bundle.tgz (206.90 KB) - Check_Point_Hotfix_Bundle.tgz [5]. HOTFIX_GULLI_HF2 - Check_Point_hotfix_R77_sk96269.tgz (2.97 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding. HostName:0>
"show installer installed_packages" command reads the information about the packages that were installed from the $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
"show installer package_status" command reads the information about the status of packages from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).
Information about the packages that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
To download a software update in Clish:
Example: HostName:0> installer download List of available packages for download: [1]. R75.46 - Check_Point_R75.46_Fresh_Install.tgz (1.48 GB) - <b>R75.46 is a maintenance release for R75.40 and R75.45 with important Check Point product updates.<br>For more about this release, see the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90960" target="_blank">R75.46 home page</a>.</b> [2]. R77_SC - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB) - Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz HostName:0> HostName:0> installer download 2 Initiating download of package 2: Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz (292.51 MB) HostName:0> HostName:0> show installer package_status ............. Check_Point_SmartConsole_and_SmartDomain_Manager_R77.tgz - Downloading (2.95 MB/s) - Progress: 6% ............. HostName:0>
To install a software update in Clish:
Important Note: Requirements for disk space exist - refer to "System requirements and limitations" section.
Example: HostName:0> installer install List of available packages for install: [1]. HOTFIX_GULLI_HF1 - Check_Point_R77_hotfix_sk95245.tgz (2.99 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding. [2]. BUNDLE_R77_10 - Check_Point_R77.10_EA_T72_4SEs.tgz (202.19 MB) - Check_Point_R77.10_EA_T72_4SEs.tgz [3]. HOTFIX_GULLI_HF2 - Check_Point_hotfix_R77_sk96269.tgz (2.97 MB) - This hotfix solves Threat Emulation Incorrect MIME encoding. [4]. HOTFIX_GULLI_UDP_FIX - Check_Point_R77_UDP_Hotfix_sk95056.tgz (206.90 KB) - Check_Point_R77_UDP_Hotfix_sk95056.tgz [5]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.<br> For more about this release - <a href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b> HostName:0> HostName:0> installer install 1 Initiating install of package 1: Check_Point_R77_hotfix_sk95245.tgz HostName:0> HostName:0> show installer package_status ............. Check_Point_R77_hotfix_sk95245.tgz - Installing - Progress: 3% ............. HostName:0>
To upgrade a software update in Clish:
Important Note: Requirements for disk space exist - refer to "System requirements and limitations" section.
Example: HostName:0> installer upgrade List of available packages for upgrade: [1]. R77 - Check_Point_R77.tgz (1.18 GB) - <b>Check Point R77.<br> For more about this release - <a href=https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965 target=_blank>R77 home page</a>.</b> HostName:0> HostName:0> installer upgrade 1 Initiating upgrade of package 1: Check_Point_R77.tgz HostName:0>
When a software update is "Available for Download", click on "Download" button.
When a software update is "Available for Install", click on "Check Install" button to check whether this software update can be installed without conflict. If there are no warnings/conflicts, then click on "Install" button.
If a software update was installed and has to be uninstalled, click on "Uninstall" button.
Available Clish commands
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Set the Gaia Software Updates Agent Policy:
HostName:0> set installer
deployment-mail-notification - Set the installer mail notifications
download_mode - Set the installer download mode to automatic, manual or schedule
install_mode - Set the installer install mode to automatic, manual or schedule
HostName:0>
Notes:
The "set installer download_mode schedule" sub-command is disabled - use the Gaia Portal.
The "set installer install_mode schedule" sub-command is disabled - use the Gaia Portal.
Start/Stop the relevant action:
HostName:0> installer
download - Download a selected package
install - Install a selected package
restore_policy - Restore the default update policy
start - Start the installer service
stop - Stop the installer service
uninstall - Uninstall a selected package
HostName:0>
Note: The progress (in per cent) of the download/install/uninstall actions is displayed only in "Gaia Portal" - "Software Updates" - "Status and Actions".
To see software updates in Clish:
HostName:0> show installer
available_local_packages - Show available packages for install
available_packages - Show available packages for download
installed_packages - Show the installed packages on this machine
package_status - Show the packages status
HostName:0>
Notes:
"show installer available_packages" command reads the information about the files that are pending download from the $DADIR/bin/pd_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer available_packages
List of available packages for download:
[1]. R75.40 - R75.40_2.tgz (804.64 MB) - R75.40
[2]. R77 - R77.tgz (1.10 GB) - R77 Take 34
[3]. R76_GA - R76_GA.tgz (1.06 GB) - R76
HostName:0>
"show installer available_local_packages" command reads the information about the files that were downloaded and are pending installation from the $DADIR/bin/pi_file file (exists only while the Gaia Software Updates Agent service is running).
Example: HostName:0> show installer available_local_packages List of available packages for install: [1]. software update_GIZMO_PING_DUMMY_002 - Check_Point_GIZMO_DUMMY_002_Bundle.tgz (31.38 KB) - Check_Point_GIZMO_DUMMY_002_Bundle.tgz HostName:0>
"show installer package_status" command reads the information about the status of software updates from the $DADIR/bin/prv_file file (exists only while the Gaia Software Updates Agent service is running).
Example:
HostName:0> show installer package_status
Check_Point_GIZMO_DUMMY_002_Bundle.tgz - Available for install
R77.tgz - Available for download
R75.40_2.tgz - Available for download
R76_GA.tgz - Available for download
HostName:0>
Information about the files that are pending uninstall is stored in $DADIR/bin/pu_file file (exists only while the Gaia Software Updates Agent service is running).
To download a software update in Clish:
Example:
HostName:0> installer download
List of available packages for download:
[1]. R75.40 - R75.40_2.tgz (804.64 MB) - R75.40
[2]. R77 - R77.tgz (1.10 GB) - R77 Take 34
[3]. R76_GA - R76_GA.tgz (1.06 GB) - R76
HostName:0>
HostName:0> installer download 2
Initiating download of package 2: R77.tgz (1.10 GB)
HostName:0>
HostName:0> show installer package_status
Check_Point_GIZMO_DUMMY_002_Bundle.tgz - Available for install
R77.tgz - Downloading
R75.40_2.tgz - Available for download
R76_GA.tgz - Available for download
HostName:0>
"(6) Limitations, Troubleshooting and Related solutions" - added a Troubleshooting scenario #3
11 Apr 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2047
07 Feb 2021
"Latest build of CPUSE and What's New" section - added new GA Build 2019
14 Dec 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1999
25 Nov 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1986
28 Oct 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1976
23 Sep 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1959
10 Sep 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1935
20 Aug 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1931
19 Jul 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1928
30 Jun 2020
Updated (6) Troubleshooting
18 Jun 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1905
16 Apr 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1889
16 Feb 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1865
09 Feb 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1858
16 Jan 2020
"Latest build of CPUSE and What's New" section - added new GA Build 1848
10 Dec 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1832
27 Nov 2019
Added section (4-B-d) Perform a clean install or upgrade of a Blink image
20 Nov 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1818
03 Oct 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1786
19 Aug 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1751
11 Aug 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1731
16 July 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1728
01 July 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1722
05 June 2019
Added a note that CPUSE package is not compatible with R80.20SP
14 May 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1677
01 May 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1676
31 Mar 2019
Updated setion 4C - "How to uninstall a CPUSE package"
26 Mar 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1671
17 Mar 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1669
23 Jan 2019
"Latest build of CPUSE and What's New" section - added new GA Build 1580
28 Nov 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1577
29 Sep 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1573
26 Sep 2018
Added link to R80.20 Gaia Administration Guide
15 July 2018
Added R80.20 to Versions list
25 June 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1511
24 June 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1510
14 June 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1508
06 May 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1483
08 Apr 2018
Updated Section (2) System requirements and limitations, item G.
12 Feb 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1439
02 Jan 2018
"Latest build of CPUSE and What's New" section - added new GA Build 1418
26 Nov 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1405
10 Oct 2017
Corrected the import instructions in Gaia Portal - correct the name of the button from "Upload" to "Import".
08 Oct 2017
Renamed the "Latest build of CPUSE and What's New" section to the "Download the latest build of CPUSE Agent and What's New".
24 Sep 2017
"Latest build of CPUSE and What's New" section - "(3-D) History of older CPUSE Agent builds" subsection - updated the text to show that build 1130 is integrated into R80 GA version.
27 Aug 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1298.
23 Aug 2017
"Troubleshooting and Related solutions" section - added sk104479.
17 Aug 2017
"Troubleshooting and Related solutions" section - added sk119993.
16 Aug 2017
"Troubleshooting and Related solutions" section - added sk119954.
24 July 2017
"Latest build of CPUSE and What's New" section - added a note that restarting the ConfD daemon should be performed during a maintenance window.
06 July 2017
"System requirements and limitations" section - updated a note that on VSX R80.10, any package can be installed using CPUSE.
27 June 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1294.
21 June 2017
Updated the instructions for importing a package in Gaia Portal (by clicking on the Import Package button on the main page).
Added link to R80.10 Gaia Administration Guide.
16 June 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1293.
18 May 2017
Added R80.10 version to the article.
25 Apr 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1283.
04 Apr 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1278.
28 Mar 2017
Updated the title of this article from "CPUSE - Gaia Software Updates (including Gaia Software Updates Agent)" to "Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent".
"Latest build of CPUSE and What's New" section - added the Build 1272 back.
20 Mar 2017
"Latest build of CPUSE and What's New" section - temporarily reverted from Build 1272 to the previous Build 1130.
15 Mar 2017
Added relevant screenshots for "Verifier" results.
13 Mar 2017
"Latest build of CPUSE and What's New" section - added new GA Build 1272.
11 Feb 2017
"Troubleshooting and Related solutions" section - added sk114592.
05 Feb 2017
"Troubleshooting and Related solutions" section - added sk115719.
15 Jan 2017
"Troubleshooting and Related solutions" section - added sk115515.
31 Dec 2016
"(4-A) "How to ..." section - improved import instructions for Offline procedure in Gaia Portal.
"Troubleshooting and Related solutions" section - added sk111158, sk115243.
19 Nov 2016
"(4-A) "How to ..." section - improved notes about VSX mode.
"(4-B) "How to ..." section - improved notes about VSX mode.
"(4-B) "How to ..." section - "(4-B-b)" subsection - added a list of files that are copied by CPUSE during an upgrade to a Major Version.
14 Nov 2016
"(4-C) "How to ..." section - improved notes.
03 Nov 2016
"System requirements and limitations" section - added clarifications about the required license and contract.
02 Oct 2016
"Latest build of CPUSE and What's New" section - added new Build 1130.
"System requirements and limitations" section - added instructions for allowing CPUSE to work with Check Point cloud.
29 Jan 2015
"System requirements and limitations" section - updated the information that option "Automatically download Contracts and other important data (Recommended)" should be enabled in SmartDashboard.
05 Oct 2014
Added description for Gaia Software Updates Agent version from 710 to 747.
11 Sep 2014
"Overview" - "Description" section - added a note that CPuse mechanism supports deployment of Major Versions (starting from build 502).
19 Aug 2014
"Software Updates Notifications" section - updated the information.
Updated the notes for "set installer" commands.
24 July 2014
Added a note about the "ping" syntax in $DADIR/bin/connection_test.sh script if Gaia machine is disconnected from the Internet.
15 June 2014
"Related solutions" section - added this new section.
12 May 2014
Updated the information about the "Import" operation in Gaia Portal.
17 Mar 2014
Improvements in HTML design.
26 Jan 2014
Added notes about importing an image / package.
Modified manual installation instructions.
12 Dec 2013
Added description for Gaia Software Updates Agent versions from 502 to 615.
03 Mar 2013
First release of this document.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
- Information
- Success
- Warning
- Error
- Information
- Success
- Warning
- Error
