Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Duane_Toler
MVP Silver
MVP Silver

R82 upgrade for Azure

Can someone explain the inconsistency with sk177714 (in-place upgrade of an R81.20 SmartCenter in CloudGuard) versus what is actually happening on the server?

Sep 25 18:33:03 2025 mercury xpand[8775]: admin localhost t +installer:action_result Failed to add the package (Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz)
The following results are not compatible with the package:

 - Check package compatibility with this version

 - Machine is 'azure' cloud environment

This installation package is not supported on Cloud environments (Microsoft Azure, Google Cloud, Amazon Web Service and Aliyun)

 

Same thing for the Blink package:

Sep 25 18:27:18 2025 mercury xpand[8775]: admin localhost t +installer:action_result Failed to add the package (Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz)
The following results are not compatible with the package:

 - Machine is 'azure' cloud environment

This installation package is not supported in these cloud environments: Amazon Web Service, Microsoft Azure, Google Cloud, and Aliyun.

 

So.... is in-place upgrade supported or not?  As it stands, the DDR policy isn't allowing it.  Any ideas?

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
19 Replies
the_rock
MVP Gold
MVP Gold

Last time I did this, I just ended up doing it from web UI, like regular Gaia and worked fine.

Andy

0 Kudos
Duane_Toler
MVP Silver
MVP Silver

Sadly, the package isn't being added to the repository, so it's not selectable.  I even tried to force it by adding the package manually.  The metadata comes across but it refuses to add to the repository:

 

[Expert@mercury:0]# da_cli add_private_package package=Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz
{
   "Action ID" : "169",
   "Message" : "add_private_package command delivered to service.",
   "Package" : "Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz"
}

[Expert@mercury:0]# da_cli get_status_of_action actionID=169
{
   "Action ID" : "169",
   "Action Type" : "Add_Private_Package",
   "DAService State" : "ready",
   "ExtendedMessage" : "N/A",
   "Message" : "Failed to add the package (Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz)\nThe following results are not compatible with the package:\n\n - Machine is 'azure' cloud environment\n\n\nThis installation package is not supported in these cloud environments: Amazon Web Service, Microsoft Azure, Google Cloud, and Aliyun.\nThis installation package may not be supported on your appliance model or server.\nThis installation package supported only on 64-bit CPU.\nFor the latest software images for Check Point appliances, see sk120193.\nFor support of R81 on Open Servers, see sk166715.",
   "Package" : "Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz",
   "Progress" : "0",
   "Status" : "failure"
}

 

That's when I tried the generic package and it did the same thing:

[Expert@mercury:0]# da_cli add_private_package package=Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
{
   "Action ID" : "171",
   "Message" : "add_private_package command delivered to service.",
   "Package" : "Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz"
}

[Expert@mercury:0]# da_cli get_status_of_action actionID=171
{
   "Action ID" : "171",
   "Action Type" : "Add_Private_Package",
   "DAService State" : "ready",
   "ExtendedMessage" : "N/A",
   "Message" : "Failed to add the package (Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz)\nThe following results are not compatible with the package:\n\n - Check package compatibility with this version\n\n\n\n - Machine is 'azure' cloud environment\n\n\nThis installation package is not supported on Cloud environments (Microsoft Azure, Google Cloud, Amazon Web Service and Aliyun)\nThis installation package may not be supported on your appliance model.\nFor the latest software images for Check Point appliances, see sk166536\nThis installation package may not be supported on your server.\nThe installation is supported only on servers with standard Check Point partition formats.\nThis installation package is not supported if you have an NSX-V Data Center object",
   "Package" : "Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
   "Progress" : "0",
   "Status" : "failure"
}

 

 Boo. 😞

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
MVP Gold
MVP Gold

I agree, boo : - (

Anywho, here is my ?...what do you see in updates tab at the bottom left of web UI? If you select all packages, can you attach a screenshot? Is CPUSE updated to latest build?

Andy

0 Kudos
PhoneBoy
Admin
Admin

Are you using the upgrade package linked in sk177714 to do this?
Other packages may not be supported for this purpose.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver

Oh!  Fair enough, my fault for not clicking the link, I did miss that; I didn't see there was a special package.  However, I tried to add that to the repository and it still complained saying it couldn't even find that package to download/import:

[Expert@mgmt01:0]# da_cli add_private_package package=aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar
{
   "Action ID" : "167",
   "Message" : "add_private_package command delivered to service.",
   "Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar"
}

[Expert@mgmt01:0]# da_cli get_status_of_action actionID=167
{
   "Action ID" : "167",
   "Action Type" : "Add_Private_Package",
   "DAService State" : "ready",
   "ExtendedMessage" : "N/A",
   "Message" : "The package 'aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar' does not exist in the Check Point cloud.",
   "Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
   "Progress" : "0",
   "Status" : "failure"
}

 

I had to use a different host because my other one had to have a private hotfix which I know breaks upgrades.  This host doesn't have any of those.

I downloaded that "aio" package manually and imported it locally which did work.  Yet this particular VM needed an LVM disk expansion and the DDR policy apparently doesn't like that (sigh).

So... I tried this package on another Azure CloudGuard management server that's still in a "pristine" state.  Again I had to download the package locally and import it manually.  The package imported and verified successfully.  I need to do a JHF update first before upgrading, tho.

 

[Expert@moon:0]#  da_cli get_status_of_action actionID=214
{
   "Action ID" : "214",
   "Action Type" : "Verify",
   "DAService State" : "ready",
   "ExtendedMessage" : "N/A",
   "Message" : "{\"clean-install\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"Installation is allowed.\"}],\"success\":true},\"install\":{\"applicable\":false,\"messages\":null,\"success\":false},\"upgrade\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"Upgrade is allowed.\"}],\"success\":true},\"warning-install\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"(1 warnings) \\n • A Jumbo Hotfix Accumulator (HFA) Take 105 is installed on this server. \\nRead more about the Jumbo (HFA) that aligns with your current Jumbo (HFA) in sk164258\\n \"}],\"success\":true},\"warning-upgrade\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"(1 warnings) \\n • A Jumbo Hotfix Accumulator (HFA) Take 105 is installed on this server. \\nRead more about the Jumbo (HFA) that aligns with your current Jumbo (HFA) in sk164258\\n \"}],\"success\":true}}",
   "Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
   "Progress" : "100",
   "Status" : "success"
}

 

Hopefully the "aio" package can be added as a private package so they don't have to be downloaded manually.  That's quite a pain for a remote host like these.  Otherwise, for pristine hosts, this should work.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold

I've found CPUSE doesn't like to download packages with a tar extension. You probably just need to change it to tgz, even though that's not really the right file name.

0 Kudos
Don_Paterson
MVP Gold
MVP Gold

What about the installer command (CLISH CPUSE/DA command) instead of da_cli?

 

installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar



https://sc1.checkpoint.com/documents/CPUSE/Content/Topics/Install-Package.htm?tocpath=Installing%20a...

 

 

 

0 Kudos
Don_Paterson
MVP Gold
MVP Gold

Just in case:

You would run 1 or 2:

1.

clish

installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar

and then all other installer commands, as per the guide

exit to leave, unless the installer does the upgrade and reboots.

 

2. 

clish -c 'installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar'

clish -c <--- for each  installer command run

 

1 is better, and then type exit to go back to expert mode when done.

the_rock
MVP Gold
MVP Gold

Hey Duane,

Did you figure this out?

Andy

0 Kudos
Duane_Toler
MVP Silver
MVP Silver

Nope.  The package can't be found with .tgz extension, either.  Not available as a plain download:

[Expert@chkp01:0]# da_cli download package=aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
{
   "Action ID" : "66",
   "Message" : "download command delivered to service.",
   "Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz"
}

[Expert@chkp01:0]# da_cli get_status_of_action actionID=66
{
   "Action ID" : "66",
   "Action Type" : "Download",
   "DAService State" : "ready",
   "ExtendedMessage" : "N/A",
   "Message" : "Could not find the requested package.",
   "Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
   "Progress" : "0",
   "Status" : "failure"
}

 

Nor can it be added as a private package:

[Expert@chkp01:0]# da_cli add_private_package package=aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
{
   "Action ID" : "67",
   "Message" : "add_private_package command delivered to service.",
   "Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz"
}

[Expert@chkp01:0]# da_cli get_status_of_action actionID=67
{
   "Action ID" : "67",
   "Action Type" : "Add_Private_Package",
   "DAService State" : "ready",
   "ExtendedMessage" : "N/A",
   "Message" : "The package 'aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz' does not exist in the Check Point cloud.",
   "Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
   "Progress" : "0",
   "Status" : "failure"
}

 

Only recourse was to download it manually then import it locally.  The .tar package that gets downloaded includes metadata stuff and the .tgz archive inside.

Oh well.  I used my old school trickery to fetch the URL with the HashKey and pasted that to curl_cli on the host directly.  I'm not downloading a 4.x GB file then turning around and scp'ing that back out!  I only wish the downloads page still had its plain 'Download' link like it did before, rather than be hidden behind a JavaScript form button to generate it. 😕  Inconvenient, but I guess they did that to stop leeching that some script writers were doing.  I still got it, tho.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
MVP Gold
MVP Gold

I will try that in the lab, but I never recall seeing sign = after word package.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

@Duane_Toler Sorry brother, did not have a chance to try this today, but definitely will tomorrow. 

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

You are 100% right, just tried it, same issue.

Andy

[Expert@CP-GW:0]# da_cli get_status_of_action actionID=35
{
"Action ID" : "35",
"Action Type" : "Download",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "Could not find the requested package.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
"Progress" : "0",
"Status" : "failure"
}

[Expert@CP-GW:0]#

0 Kudos
Don_Paterson
MVP Gold
MVP Gold

What about the CLISH installer command?

installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar

 

I wouldn't use tgz since the file has the .tar extension (Cloud ID).

 

the_rock
MVP Gold
MVP Gold

That seemed to work, yes.

0 Kudos
Don_Paterson
MVP Gold
MVP Gold

I think that the installer command is the recommended/preferred route.

da_cli is obviously there and works but it is only mentioned twice in the CPUSE admin guide, and that is for troubleshooting.

sk92449 does have references to da_cli too but mostly for troubleshooting.

sk177714 is linked in that sk and also in sk162365 but they do have recommended next to the CPUSE portal (Gaia Portal) and they do show da_cli, although it is after the installer command (second priority for CLI command choice).

 

I only use the installer command and appreciate that CloudGuard deployments can have Expert mode as the default shell so that da_cli may be chosen over installer, and also that they document da_cli in the sk articles (and therefore are seen to support it) but as a rule they recommend CLISH as the shell for configuration changes (and CPUSE too as I see it).

The only time I see da_cli is when I am monitoring processes running during upgrades and major changes, using the htop or top commands.

My 2 cents.

 

the_rock
MVP Gold
MVP Gold

I agree Don. To me, that also sounds totally logical.

Andy

0 Kudos
Duane_Toler
MVP Silver
MVP Silver

Sure I'll try that:

mercury> installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar
Info: Initiating Import from cloud of aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)

^C
mercury> show installer packages
**  ************************************************************************* **
**                                 Hotfixes                                   **
**  ************************************************************************* **
Display name                                                                                    Status                    
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 105                                      Installed as part of      
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 113                                      Installed                 
R81.20 Jumbo Hotfix Accumulator Take 115                                                        Available for Download    
SecurePlatform_HOTFIX_R81_20_JHF_T41_324_MAIN_GA_FULL.tgz                                       Installed as part of      
fw1_wrapper_HOTFIX_R81_20_JHF_T65_058_MAIN_GA_FULL.tgz                                          Installed as part of      
mgmt_wrapper_HOTFIX_R81_20_JHF_T113_323_MAIN_GA_FULL.tgz                                        Imported                  
**  ************************************************************************* **
**                                   HFAs                                     **
**  ************************************************************************* **
Display name                                                                                    Status                    
R81.20 SmartConsole Build 671                                                                   Available for Download    

Nope, no go.

/opt/CPInstLog/DepoymentAgent.log  shows the same routine and ultimately failed to find the package, just as with da_cli.

 

Just to be complete.. let's try it the other way:

mercury> installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
Info: Initiating Import from cloud of aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)

^C
mercury> show installer packages
**  ************************************************************************* **
**                                 Hotfixes                                   **
**  ************************************************************************* **
Display name                                                                                    Status                    
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 105                                      Installed as part of      
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 113                                      Installed                 
R81.20 Jumbo Hotfix Accumulator Take 115                                                        Available for Download    
SecurePlatform_HOTFIX_R81_20_JHF_T41_324_MAIN_GA_FULL.tgz                                       Installed as part of      
fw1_wrapper_HOTFIX_R81_20_JHF_T65_058_MAIN_GA_FULL.tgz                                          Installed as part of      
mgmt_wrapper_HOTFIX_R81_20_JHF_T113_323_MAIN_GA_FULL.tgz                                        Imported                  
**  ************************************************************************* **
**                                   HFAs                                     **
**  ************************************************************************* **
Display name                                                                                    Status                    
R81.20 SmartConsole Build 671                                                                   Available for Download    
mercury> 

 

Nope, still no go.  DeploymentAgent.log has the same info.  Failed to find package on the server.

da_cli add_private_package is the interface that's ran when "import cloud" is used with the "installer" command:

"private package update request"

[2025-10-01 - 17:09:08][12355 12355][HIGH DALOG_NORMAL]: ===>>> action id="183" has started <<<===
[2025-10-01 - 17:09:08][12355 12355][HIGH MSG_RECIEVED_PRIV_PKG_REQUEST]: Received request for a new private package.
[2025-10-01 - 17:09:08][12355 12355][HIGH MSG_ADDING_PRIV_PKG]: Adding a new private package : aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
[2025-10-01 - 17:09:08][12355 12355][HIGH DALOG_NORMAL]: Received a private package update request: aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
[2025-10-01 - 17:09:08][12355 12355][HIGH DALOG_NORMAL]: Trying to get CKs list.
[2025-10-01 - 17:09:08][12355 12355]:Using filter OS: Gaia
[2025-10-01 - 17:09:16][12355 12355][HIGH MSG_DC_DETAILS]: Connected to https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl; authentication: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
[2025-10-01 - 17:09:16][12355 12355][HIGH DALOG_NORMAL]: Setting update failure reason to: 0

 

So maybe there's something else odd and goofy.  This is a CloudGuard management host but it's BYOL and has an NGSM-5 license.  Maybe this is yet another TAC case...

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
MVP Gold
MVP Gold

Wish I had CP in Azure to try this on, but I tested it on regular VM and that failed too : - (

Andy

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.