- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: R82 upgrade for Azure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R82 upgrade for Azure
Can someone explain the inconsistency with sk177714 (in-place upgrade of an R81.20 SmartCenter in CloudGuard) versus what is actually happening on the server?
Sep 25 18:33:03 2025 mercury xpand[8775]: admin localhost t +installer:action_result Failed to add the package (Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz)
The following results are not compatible with the package:
- Check package compatibility with this version
- Machine is 'azure' cloud environment
This installation package is not supported on Cloud environments (Microsoft Azure, Google Cloud, Amazon Web Service and Aliyun)
Same thing for the Blink package:
Sep 25 18:27:18 2025 mercury xpand[8775]: admin localhost t +installer:action_result Failed to add the package (Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz)
The following results are not compatible with the package:
- Machine is 'azure' cloud environment
This installation package is not supported in these cloud environments: Amazon Web Service, Microsoft Azure, Google Cloud, and Aliyun.
So.... is in-place upgrade supported or not? As it stands, the DDR policy isn't allowing it. Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Last time I did this, I just ended up doing it from web UI, like regular Gaia and worked fine.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sadly, the package isn't being added to the repository, so it's not selectable. I even tried to force it by adding the package manually. The metadata comes across but it refuses to add to the repository:
[Expert@mercury:0]# da_cli add_private_package package=Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz
{
"Action ID" : "169",
"Message" : "add_private_package command delivered to service.",
"Package" : "Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz"
}
[Expert@mercury:0]# da_cli get_status_of_action actionID=169
{
"Action ID" : "169",
"Action Type" : "Add_Private_Package",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "Failed to add the package (Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz)\nThe following results are not compatible with the package:\n\n - Machine is 'azure' cloud environment\n\n\nThis installation package is not supported in these cloud environments: Amazon Web Service, Microsoft Azure, Google Cloud, and Aliyun.\nThis installation package may not be supported on your appliance model or server.\nThis installation package supported only on 64-bit CPU.\nFor the latest software images for Check Point appliances, see sk120193.\nFor support of R81 on Open Servers, see sk166715.",
"Package" : "Blink_image_1.1_Check_Point_R82_T777_JHF_T39_SecurityManagement.tgz",
"Progress" : "0",
"Status" : "failure"
}
That's when I tried the generic package and it did the same thing:
[Expert@mercury:0]# da_cli add_private_package package=Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
{
"Action ID" : "171",
"Message" : "add_private_package command delivered to service.",
"Package" : "Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz"
}
[Expert@mercury:0]# da_cli get_status_of_action actionID=171
{
"Action ID" : "171",
"Action Type" : "Add_Private_Package",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "Failed to add the package (Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz)\nThe following results are not compatible with the package:\n\n - Check package compatibility with this version\n\n\n\n - Machine is 'azure' cloud environment\n\n\nThis installation package is not supported on Cloud environments (Microsoft Azure, Google Cloud, Amazon Web Service and Aliyun)\nThis installation package may not be supported on your appliance model.\nFor the latest software images for Check Point appliances, see sk166536\nThis installation package may not be supported on your server.\nThe installation is supported only on servers with standard Check Point partition formats.\nThis installation package is not supported if you have an NSX-V Data Center object",
"Package" : "Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
"Progress" : "0",
"Status" : "failure"
}
Boo. 😞
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, boo : - (
Anywho, here is my ?...what do you see in updates tab at the bottom left of web UI? If you select all packages, can you attach a screenshot? Is CPUSE updated to latest build?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the upgrade package linked in sk177714 to do this?
Other packages may not be supported for this purpose.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh! Fair enough, my fault for not clicking the link, I did miss that; I didn't see there was a special package. However, I tried to add that to the repository and it still complained saying it couldn't even find that package to download/import:
[Expert@mgmt01:0]# da_cli add_private_package package=aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar
{
"Action ID" : "167",
"Message" : "add_private_package command delivered to service.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar"
}
[Expert@mgmt01:0]# da_cli get_status_of_action actionID=167
{
"Action ID" : "167",
"Action Type" : "Add_Private_Package",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "The package 'aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar' does not exist in the Check Point cloud.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
"Progress" : "0",
"Status" : "failure"
}
I had to use a different host because my other one had to have a private hotfix which I know breaks upgrades. This host doesn't have any of those.
I downloaded that "aio" package manually and imported it locally which did work. Yet this particular VM needed an LVM disk expansion and the DDR policy apparently doesn't like that (sigh).
So... I tried this package on another Azure CloudGuard management server that's still in a "pristine" state. Again I had to download the package locally and import it manually. The package imported and verified successfully. I need to do a JHF update first before upgrading, tho.
[Expert@moon:0]# da_cli get_status_of_action actionID=214
{
"Action ID" : "214",
"Action Type" : "Verify",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "{\"clean-install\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"Installation is allowed.\"}],\"success\":true},\"install\":{\"applicable\":false,\"messages\":null,\"success\":false},\"upgrade\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"Upgrade is allowed.\"}],\"success\":true},\"warning-install\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"(1 warnings) \\n • A Jumbo Hotfix Accumulator (HFA) Take 105 is installed on this server. \\nRead more about the Jumbo (HFA) that aligns with your current Jumbo (HFA) in sk164258\\n \"}],\"success\":true},\"warning-upgrade\":{\"applicable\":true,\"messages\":[{\"message-code\":\"OK\",\"text\":\"(1 warnings) \\n • A Jumbo Hotfix Accumulator (HFA) Take 105 is installed on this server. \\nRead more about the Jumbo (HFA) that aligns with your current Jumbo (HFA) in sk164258\\n \"}],\"success\":true}}",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
"Progress" : "100",
"Status" : "success"
}
Hopefully the "aio" package can be added as a private package so they don't have to be downloaded manually. That's quite a pain for a remote host like these. Otherwise, for pristine hosts, this should work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found CPUSE doesn't like to download packages with a tar extension. You probably just need to change it to tgz, even though that's not really the right file name.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about the installer command (CLISH CPUSE/DA command) instead of da_cli?
installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in case:
You would run 1 or 2:
1.
clish
installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar
and then all other installer commands, as per the guide
exit to leave, unless the installer does the upgrade and reboots.
2.
clish -c 'installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar'
clish -c <--- for each installer command run
1 is better, and then type exit to go back to expert mode when done.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Duane,
Did you figure this out?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope. The package can't be found with .tgz extension, either. Not available as a plain download:
[Expert@chkp01:0]# da_cli download package=aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
{
"Action ID" : "66",
"Message" : "download command delivered to service.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz"
}
[Expert@chkp01:0]# da_cli get_status_of_action actionID=66
{
"Action ID" : "66",
"Action Type" : "Download",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "Could not find the requested package.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
"Progress" : "0",
"Status" : "failure"
}
Nor can it be added as a private package:
[Expert@chkp01:0]# da_cli add_private_package package=aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
{
"Action ID" : "67",
"Message" : "add_private_package command delivered to service.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz"
}
[Expert@chkp01:0]# da_cli get_status_of_action actionID=67
{
"Action ID" : "67",
"Action Type" : "Add_Private_Package",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "The package 'aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz' does not exist in the Check Point cloud.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
"Progress" : "0",
"Status" : "failure"
}
Only recourse was to download it manually then import it locally. The .tar package that gets downloaded includes metadata stuff and the .tgz archive inside.
Oh well. I used my old school trickery to fetch the URL with the HashKey and pasted that to curl_cli on the host directly. I'm not downloading a 4.x GB file then turning around and scp'ing that back out! I only wish the downloads page still had its plain 'Download' link like it did before, rather than be hidden behind a JavaScript form button to generate it. 😕 Inconvenient, but I guess they did that to stop leeching that some script writers were doing. I still got it, tho.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try that in the lab, but I never recall seeing sign = after word package.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Duane_Toler Sorry brother, did not have a chance to try this today, but definitely will tomorrow.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are 100% right, just tried it, same issue.
Andy
[Expert@CP-GW:0]# da_cli get_status_of_action actionID=35
{
"Action ID" : "35",
"Action Type" : "Download",
"DAService State" : "ready",
"ExtendedMessage" : "N/A",
"Message" : "Could not find the requested package.",
"Package" : "aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz",
"Progress" : "0",
"Status" : "failure"
}
[Expert@CP-GW:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about the CLISH installer command?
installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar
I wouldn't use tgz since the file has the .tar extension (Cloud ID).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That seemed to work, yes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that the installer command is the recommended/preferred route.
da_cli is obviously there and works but it is only mentioned twice in the CPUSE admin guide, and that is for troubleshooting.
sk92449 does have references to da_cli too but mostly for troubleshooting.
sk177714 is linked in that sk and also in sk162365 but they do have recommended next to the CPUSE portal (Gaia Portal) and they do show da_cli, although it is after the installer command (second priority for CLI command choice).
I only use the installer command and appreciate that CloudGuard deployments can have Expert mode as the default shell so that da_cli may be chosen over installer, and also that they document da_cli in the sk articles (and therefore are seen to support it) but as a rule they recommend CLISH as the shell for configuration changes (and CPUSE too as I see it).
The only time I see da_cli is when I am monitoring processes running during upgrades and major changes, using the htop or top commands.
My 2 cents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree Don. To me, that also sounds totally logical.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure I'll try that:
mercury> installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar
Info: Initiating Import from cloud of aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tar...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
^C
mercury> show installer packages
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Display name Status
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 105 Installed as part of
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 113 Installed
R81.20 Jumbo Hotfix Accumulator Take 115 Available for Download
SecurePlatform_HOTFIX_R81_20_JHF_T41_324_MAIN_GA_FULL.tgz Installed as part of
fw1_wrapper_HOTFIX_R81_20_JHF_T65_058_MAIN_GA_FULL.tgz Installed as part of
mgmt_wrapper_HOTFIX_R81_20_JHF_T113_323_MAIN_GA_FULL.tgz Imported
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Display name Status
R81.20 SmartConsole Build 671 Available for Download
Nope, no go.
/opt/CPInstLog/DepoymentAgent.log shows the same routine and ultimately failed to find the package, just as with da_cli.
Just to be complete.. let's try it the other way:
mercury> installer import cloud aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
Info: Initiating Import from cloud of aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
^C
mercury> show installer packages
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Display name Status
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 105 Installed as part of
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 113 Installed
R81.20 Jumbo Hotfix Accumulator Take 115 Available for Download
SecurePlatform_HOTFIX_R81_20_JHF_T41_324_MAIN_GA_FULL.tgz Installed as part of
fw1_wrapper_HOTFIX_R81_20_JHF_T65_058_MAIN_GA_FULL.tgz Installed as part of
mgmt_wrapper_HOTFIX_R81_20_JHF_T113_323_MAIN_GA_FULL.tgz Imported
** ************************************************************************* **
** HFAs **
** ************************************************************************* **
Display name Status
R81.20 SmartConsole Build 671 Available for Download
mercury>
Nope, still no go. DeploymentAgent.log has the same info. Failed to find package on the server.
da_cli add_private_package is the interface that's ran when "import cloud" is used with the "installer" command:
"private package update request"
[2025-10-01 - 17:09:08][12355 12355][HIGH DALOG_NORMAL]: ===>>> action id="183" has started <<<===
[2025-10-01 - 17:09:08][12355 12355][HIGH MSG_RECIEVED_PRIV_PKG_REQUEST]: Received request for a new private package.
[2025-10-01 - 17:09:08][12355 12355][HIGH MSG_ADDING_PRIV_PKG]: Adding a new private package : aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
[2025-10-01 - 17:09:08][12355 12355][HIGH DALOG_NORMAL]: Received a private package update request: aio_Check_Point_R82_T777_Gaia_Install_and_Upgrade.tgz
[2025-10-01 - 17:09:08][12355 12355][HIGH DALOG_NORMAL]: Trying to get CKs list.
[2025-10-01 - 17:09:08][12355 12355]:Using filter OS: Gaia
[2025-10-01 - 17:09:16][12355 12355][HIGH MSG_DC_DETAILS]: Connected to https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl; authentication: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
[2025-10-01 - 17:09:16][12355 12355][HIGH DALOG_NORMAL]: Setting update failure reason to: 0
So maybe there's something else odd and goofy. This is a CloudGuard management host but it's BYOL and has an NGSM-5 license. Maybe this is yet another TAC case...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wish I had CP in Azure to try this on, but I tested it on regular VM and that failed too : - (
Andy
