Re: How to install Hotfix on R80.10 VSX

Nilesh_Sonkusa1 · ‎2019-04-10

Hi Team ,

Is any document for Video available for how to install hotfix on R80.10 VSX mode .

Daniel_Taney · ‎2019-04-10

Since there is no WebUI, the recommended way would be to use CPUSE through the CLI in CLISH.

The basic steps would be to SCP the hotfix bundle onto the Gateway. Take note of the full path and filename where you store it.

In CLISH, run installer import local <path-to-file>

This will import the Hotfix into the CPUSE Repository.

Then I would recommend doing installer verify and hit tab. It should pause for a second and show you the list of packages that can be installed. The hotfix you just imported should be in there. Select the number associated with the hotfix. The verify will run to make sure it is compatible.

If it is compatible, you should be able to initiate the installation with installer install and hit tab again. Complete the command by selecting the same hotfix as before. The install will kick off in the background. You can use the command show installer status to see its progress.

R80 CCSA / CCSE

Daniel_Taney · ‎2019-04-10

If you get errors about the package being not compatible or not for the right version, you may need to update your CPUSE Agent version.

The details of that are here.

Installing this will be non-disruptive to the Gateway.

Download the .tar file and SCP it to the Gateway. From the CLI:

tar -zxvf DeploymentAgent_<build>.tgz

and then

rpm -Uhv --force CPda-00-00.i386.rpm

Once that installs, make sure the Deployment Agent is running again with $DADIR/bin/dastart

Now you should be able to attempt the previous process again.

R80 CCSA / CCSE

G_W_Albrecht · ‎2019-04-10

Have a look here: sk92449: Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Nick_Doropoulos · ‎2019-04-10

In the same vein to what everybody has suggested, I would follow the offline installation found in the CPUSE guide already referenced (after having specified the id of the virtual instance I would expect with the vsenv [id] command):

Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

Install the latest build of CPUSE Agent from sk92449.
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database:
HostName:0> lock database override
Import the package from the hard disk:
Note: When import completes, this package is deleted from the original location.
HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
Show the imported packages:
Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.10 Jumbo hotfix T<number> for sk116380"
HostName:0> show installer packages imported
Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
HostName:0> installer verify <Package_Number>
Install the imported package:
HostName:0> installer install <Package_Number>

Jumbo Hotfix Accumulator Take 103 in particular happens to be based on R80.10 and supported for VSX deployments (sk116380 for more info).

I hope this helps.

Nilesh_Sonkusa1 · ‎2019-04-23

HI Team ,

Please suggest someone how can I check which Hotfix is already installed on my R80.10 VSX firewall .Need to know which hotfix is installed & which is pending for installation so I can scheduled .

Is any path need to follow before installed any new Jumbo hotfix or I can install any hotfix .

Thanks in advance for replay my message ,

Maik · ‎2019-04-23

Hey,

Check sk116380 in order to receive all the answers to your questions 😉

Need to know which hotfix is installed & which is pending for installation so I can scheduled .

To check the Take number of the currently installed R80.10 Jumbo Hotfix Accumulator (if it is installed): [Expert@HostName:0]# cpinfo -y all

Is any path need to follow before installed any new Jumbo hotfix or I can install any hotfix .

The package verification will check if the targeted package is compatible with the current installed packages. Usually jumbo hotfixes for a specific version (e.g. R80.10 in your case) are compatible to each other (w. incrementing releases/versions).

Regards,

Maik

Nilesh_Sonkusa1 · ‎2019-05-24

Hi Team ,

Checkpoint TAC suggested me for before installing the Hotfix please verify that the CPuse agent upgraded to the latest version.

Can someone explain me how to upgrade CPuse agent on R80.10 VSX firewall and how to check its latest or not .

My firewall not connected to internet .I need to upgrade this agent in offline mode .

Thanks in advance for replay my query .

Daniel_Taney · ‎2019-05-24

In CLISH, run show installer status build

If you cannot connect to the Internet, you can download the offline installer in this sk.

Go to Section 3: Download The Latest Build Of The CPUSE Agent to get the link. Then simply SCP/FTP this over to your GW and run:

tar -zxvf DeploymentAgent_<build>.tgz

rpm -Uhv --force CPda-00-00.i386.rpm

$DADIR/bin/dastart

You should be able to do this with zero interruption to the Gateway.

R80 CCSA / CCSE

Vladimir · ‎2019-05-24

Any downside to the approach listed below?

If VSX has Internet connectivity:

1. Check the version of the CPUSE agent

2. If it is a single VSX, perform "set vsx off"

3. If it is a Cluster HA, "set vsx off" on a standby

4. Use WebUI to update the agent, download, verify and install the JHFA

5. "set vsx on"

6. If cluster HA, failover to the upgraded member

7. Rinse and repeat on remaining cluster member

Depending on the currently installed JHFA, CPUSE agent may be updated from WebUI

If this functionality is not yet shown in WebUI, update CPUSE agent in "offline mode" as was shown by others in this thread.

It would not hurt to pre-download both, the CPUSE agent and the JHFA to have an option for offline installation.

Jesus_Cano · ‎2019-06-11

I have to install the lastest HF in VSX gateways. So whats commands are necessary to failover the cluster??

cluster_XL admin down/up like a normal cluster without VSX?

Daniel_Taney · ‎2019-06-11

Are you running in VSLS mode?

R80 CCSA / CCSE

Jesus_Cano · ‎2019-06-11

i dont know. How can i know it?

Maik · ‎2019-06-11

Execute "cphaprob stat" in VS0 and check the information after "Cluster Mode".

If it says Virtual System Load Sharing, then you are running VSLS.

Jesus_Cano · ‎2019-06-11

[Expert@V_R80.10:0]# cphaprob state

Cluster Mode: VSX High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 2.2.2.1 100% Active
2 2.2.2.2 0% Standby

Local member is in current state since Tue Apr 23 08:07:02 2019

[Expert@VR80.10:0]# vsx get
Current context is VSX Gateway 1_R80.10 (ID 0).
[Expert@VR80.10:0]# vsenv 1
Context is set to Virtual Device VSR80.10_INT (ID 1).
[Expert@VR80.10:1]# cphaprob state

Cluster Mode: VSX High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 2.2.2.1 100% Active
2 2.2.2.2 0% Standby

Local member is in current state since Tue Apr 23 08:07:02 2019

I think is not enabled.

Daniel_Taney · ‎2019-06-11

No, it doesn't look like you have VSLS enabled. Given that, I think you should be ok with clusterXL_admin down

R80 CCSA / CCSE

Daniel_Taney · ‎2019-06-11

As reference for anyone who needs to do this with VSLS enabled, this sk article outlines the steps.

R80 CCSA / CCSE

Are you a member of CheckMates?

How to install Hotfix on R80.10 VSX