Re: Creating a CPuse package

Rob_Napholz · ‎2019-02-28

I am trying to utilize CPUSE on a gateway to install a shell scripts and run a few commands.

There may be better ways to install a shell script, but this allows the admin to install the script via web browser.

I have not been able to find documentation on how to create a CPuse file.

Link anyone ?

I tried to create a pkg but I am just guessing at the structure.

When running installer import local, I am getting a read error with the file hf.config

FW-LAB> installer import local /home/admin/ABC_Install_package.tgz

Preparing package for import. This operation might take a few moments

Note: The selected package will be copied into CPUSE repository

Info: Initiating import of ABC_Install_package.tgz...

Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)

Result: Import of package ABC_Install_package.tgz Failed

Error occurred while trying to read hf.config file.

cat hf.config

1

PATCH_REG_PRODUCT=CPUpdates

PATCH_REG_VER=6.0

PATCH_REG_SP=4

PATCH_REG_MSP=8

PATCH_NAME= ABC_Install_package

TAKE_NUMBER=1

PACKAGE_TYPE=BUNDLE

DIRECT_BASE_VERSION=R80.10

[Expert@FW-LAB:0]# ls -l

total 20

drwxr-xr-x 2 admin root 4096 Feb 27 09:23 CheckPoint#fw1#ALL#6.0#4#8#ABC_Install_package

-rwxr-xr-x 1 admin root 1784 Feb 27 09:44 bundle.xml

-rw-rw-r-- 1 admin root 171 Feb 27 09:58 hf.config

drwxr-xr-x 2 admin root 4096 Feb 27 09:43 scripts

-rw-rw-r-- 1 admin root 7 Feb 27 10:48 take_number.conf

Martin_Valenta · ‎2019-03-01

Why not to use CDT? For distribution of files and running scripts on gateways..

Joshua_Hatter · ‎2019-03-01

You don't create your own CPUSE package, that isn't really a thing I've ever heard of, you should use the scrips repository in SmartConsole. I think it will accomplish what you are looking for.

Rob_Napholz · ‎2019-03-01

I am already utilize the repository for running scripts, how can i copy a binary file to the gateway from the CMA without hard coding the password ? SIC ?

Since we are talking about the repository, any idea on how to maintain the same script across multiple(10+) domains/CMAs. Can this happen at the global level ?

PhoneBoy · ‎2019-03-01

I'm with Martin Valenta‌ on this, CDT is the right tool for the job here.

You can copy files to your remote gateways (e.g. a tarball), among many other things.

Central Deployment Tool (CDT)

Rob_Napholz · ‎2019-03-01

CDT is a command line tool, i have not seen a gui version.

looking for a gui tool for a junior admin

the file only need to be installed on gateway after onboarding.

PhoneBoy · ‎2019-03-01

There is an API call called put-file that can copy a file to a gateway.

Of course that's not a GUI option

Greg_Harewood · ‎2020-09-16

Hiya. Let's see if we can advance this discussion 🙂

Bundle packages

Attached is a tgz package for reference. It's about the simplest I can make work, so it's easy to pull apart. It's sole function on install is to save its environment to a file in /tmp. That should be enough info for you to see how to use the install_hook script to unpack a tgz instead.

Check Point themselves add a lot more complexity. The attached package has the following deficiences:

It's not a new package - it's a patch format, so you have to choose an existing package to patch as a way to add your files. This one patches "CpUpdates", i.e. the deployment agent. Check Point themselves sometimes seem to use this method, patching either this or the "fw1" package.
It has no understanding of versioning and uninstall MIGHT be unreliable in terms of stability of the base package it is installed on top of. Take care.

That being said it's good enough for a lot of stuff. Check Point's complexity to some extent derives from history rather than design. They have at least the following formats:

Major - a full reinstall, which doesn't seem useful to us.
BUNDLE/wrapper - this is the example format, and it can also be used as a package of packages. Rob, mine attached is very similar to yours above.
single_hotfix - similar format, but the crs.xml contains a list of files to patch. Install script hooks are referenced from hf.config and bundle.xml is missing

Conspicuously missing is a simple format for a new package. CP use RPM for new packages, but not from CPUSE. SURELY there is a way to do a new install from CPUSE. But I can find no recent examples of it. I need to go digging in IPSO history.... some of this stuff is based off of that, and they certainly used to use this kind of format for that.

File format: My example is a single .tgz. There is also a .tar format that contains the .tgz plus a derived smaller blahblah_METAFILE.tgz. The value of this is the smaller metafile is packaged first and can be unpacked more rapidly for names, descriptions, checks.

CPRID

Rob, your other question was about distributing files. SmartUpdate can essentially be used from the SMS to copy files and run them. This might be of use. See sk106490

Boaz_Orshav · ‎2020-09-16

Hi

CPUSE package includes many attributes and configuration items which are used by the Check Point deployment tools.

Creating a package is done on a Check Point packaging system.

Any package you create by yourself might cause unpredictable results!

Future installations of Check Point packages might fail, backup & restore functionality might be damaged and many other items which are handled automatically when using Check Point packaging system.

Bottom line - please do not do it and let's use CDT or other tools to get the same result in a much safer way.

Thanks

Boaz

Are you a member of CheckMates?

Creating a CPuse package