This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nilesh_Sonkusa1
Participant
‎2019-04-10 05:57 AM

How to install Hotfix on R80.10 VSX

Hi Team ,

Is any document for Video available for how to  install hotfix on R80.10 VSX mode .

0 Kudos
16 Replies
Daniel_Taney
Advisor
‎2019-04-10 06:11 AM

Since there is no WebUI, the recommended way would be to use CPUSE through the CLI in CLISH.

The basic steps would be to SCP the hotfix bundle onto the Gateway. Take note of the full path and filename where you store it.

In CLISH, run installer import local <path-to-file>

This will import the Hotfix into the CPUSE Repository.

Then I would recommend doing installer verify and hit tab. It should pause for a second and show you the list of packages that can be installed. The hotfix you just imported should be in there. Select the number associated with the hotfix. The verify will run to make sure it is compatible. 

If it is compatible, you should be able to initiate the installation with installer install and hit tab again. Complete the command by selecting the same hotfix as before. The install will kick off in the background. You can use the command show installer status to see its progress.

R80 CCSA / CCSE
0 Kudos
Daniel_Taney
Advisor
‎2019-04-10 06:15 AM

If you get errors about the package being not compatible or not for the right version, you may need to update your CPUSE Agent version. 

The details of that are here.

Installing this will be non-disruptive to the Gateway.

Download the .tar file and SCP it to the Gateway. From the CLI:

tar -zxvf DeploymentAgent_<build>.tgz

and then

rpm -Uhv --force CPda-00-00.i386.rpm

Once that installs, make sure the Deployment Agent is running again with $DADIR/bin/dastart

Now you should be able to attempt the previous process again.

R80 CCSA / CCSE
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-04-10 06:15 AM

Have a look here: sk92449: Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Nick_Doropoulos
Advisor
‎2019-04-10 06:23 AM

In the same vein to what everybody has suggested, I would follow the offline installation found in the CPUSE guide already referenced (after having specified the id of the virtual instance I would expect with the vsenv [id] command):

Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

  1. Install the latest build of CPUSE Agent from sk92449.
  2. Connect to command line on target Gaia OS.
  3. Log in to Clish.
  4. Acquire the lock over Gaia configuration database:
    HostName:0> lock database override
  5. Import the package from the hard disk:
    Note: When import completes, this package is deleted from the original location.
    HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
  6. Show the imported packages:
    Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.10 Jumbo hotfix T<number> for sk116380"
    HostName:0> show installer packages imported
  7. Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
    HostName:0> installer verify <Package_Number>
  8. Install the imported package:
    HostName:0> installer install <Package_Number>

Jumbo Hotfix Accumulator Take 103 in particular happens to be based on R80.10 and supported for VSX deployments (sk116380 for more info).

I hope this helps.

0 Kudos
Nilesh_Sonkusa1
Participant
‎2019-04-23 03:06 AM

HI Team ,

Please suggest someone how can I check which Hotfix is already installed on my R80.10 VSX firewall .Need to know which hotfix is installed & which is pending  for installation so I can scheduled .

Is any path need to follow before installed any new Jumbo hotfix or I can install any hotfix .

Thanks in advance for replay my message ,

0 Kudos
Maik
Advisor
‎2019-04-23 03:35 AM
In response to Nilesh_Sonkusa1

Hey,

 

Check sk116380 in order to receive all the answers to your questions 😉

 

Need to know which hotfix is installed & which is pending  for installation so I can scheduled .
  • To check the Take number of the currently installed R80.10 Jumbo Hotfix Accumulator (if it is installed): [Expert@HostName:0]# cpinfo -y all

Is any path need to follow before installed any new Jumbo hotfix or I can install any hotfix .

  • The package verification will check if the targeted package is compatible with the current installed packages. Usually jumbo hotfixes for a specific version (e.g. R80.10 in your case) are compatible to each other (w. incrementing releases/versions).

Regards,

Maik

Nilesh_Sonkusa1
Participant
‎2019-05-24 08:08 AM
In response to Maik

Hi Team ,

Checkpoint TAC suggested me for before installing the Hotfix please verify that the CPuse agent upgraded to the latest version.

Can someone explain me how to upgrade CPuse agent on R80.10 VSX firewall and how to check its latest or not .

 My firewall not connected to internet .I need to upgrade this agent in offline mode .

Thanks in advance for replay my query .

0 Kudos
Daniel_Taney
Advisor
‎2019-05-24 08:24 AM
In response to Nilesh_Sonkusa1

In CLISH, run show installer status build

If you cannot connect to the Internet, you can download the offline installer in this sk.

Go to Section 3: Download The Latest Build Of The CPUSE Agent to get the link. Then simply SCP/FTP this over to your GW and run:

tar -zxvf DeploymentAgent_<build>.tgz

rpm -Uhv --force CPda-00-00.i386.rpm

$DADIR/bin/dastart

You should be able to do this with zero interruption to the Gateway.

R80 CCSA / CCSE
0 Kudos
Vladimir
Champion
Champion
‎2019-05-24 08:52 AM
In response to Daniel_Taney

Any downside to the approach listed below?

If VSX has Internet connectivity:

1. Check the version of the CPUSE agent

2. If it is a single VSX, perform "set vsx off"

3. If it is a Cluster HA, "set vsx off" on a standby

4. Use WebUI to update the agent, download, verify and install the JHFA

5. "set vsx on"

6. If cluster HA, failover to the upgraded member

7. Rinse and repeat on remaining cluster member

 

Depending on the currently installed JHFA, CPUSE agent may be updated from WebUI

If this functionality is not yet shown in WebUI, update CPUSE agent in "offline mode" as was shown by others in this thread.

It would not hurt to pre-download both, the CPUSE agent and the JHFA to have an option for offline installation.

Jesus_Cano
Collaborator
‎2019-06-11 05:16 AM
In response to Vladimir

I have to install the lastest HF in VSX gateways. So whats commands are necessary to failover the cluster??

cluster_XL admin down/up like a normal cluster without VSX? 

0 Kudos
Daniel_Taney
Advisor
‎2019-06-11 05:55 AM
In response to Jesus_Cano

Are you running in VSLS mode?

R80 CCSA / CCSE
0 Kudos
Jesus_Cano
Collaborator
‎2019-06-11 06:17 AM
In response to Daniel_Taney

i dont know. How can i know it?

0 Kudos
Maik
Advisor
‎2019-06-11 07:52 AM
In response to Jesus_Cano

Execute "cphaprob stat" in VS0 and check the information after "Cluster Mode".

If it says Virtual System Load Sharing, then you are running VSLS.

0 Kudos
Jesus_Cano
Collaborator
‎2019-06-11 07:59 AM
In response to Maik

[Expert@V_R80.10:0]# cphaprob state

Cluster Mode: VSX High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 2.2.2.1 100% Active
2 2.2.2.2 0% Standby

Local member is in current state since Tue Apr 23 08:07:02 2019

[Expert@VR80.10:0]# vsx get
Current context is VSX Gateway 1_R80.10 (ID 0).
[Expert@VR80.10:0]# vsenv 1
Context is set to Virtual Device VSR80.10_INT (ID 1).
[Expert@VR80.10:1]# cphaprob state

Cluster Mode: VSX High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 2.2.2.1 100% Active
2 2.2.2.2 0% Standby

Local member is in current state since Tue Apr 23 08:07:02 2019

I think is not enabled.

0 Kudos
Daniel_Taney
Advisor
‎2019-06-11 08:02 AM
In response to Jesus_Cano

No, it doesn't look like you have VSLS enabled. Given that, I think you should be ok with clusterXL_admin down

R80 CCSA / CCSE
0 Kudos
Daniel_Taney
Advisor
‎2019-06-11 08:04 AM
In response to Jesus_Cano

As reference for anyone who needs to do this with VSLS enabled, this sk article outlines the steps.

R80 CCSA / CCSE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top