This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Platinum
MVP Platinum
‎2025-04-26 11:28 AM
Jump to solution

Installing jumbo hotfix on R82 vsnext/vsx

Hey guys,

Im no VSX expert by any means, but figured would share this in case anyone is stuck on it. I never realized when I installed R82 vsnext in the lab that web UI does not give an option to install new jumbo or upgrade,  so took me a while to figure out best way to install jumbo 14 on it.

First, I tried to upgrade package from cloud with installer import clish command, and though it worked, when I verified, passed fine, but then installing kept giving generic message saying to contact CP support for assistance.

I then downloaded .tar package from below link and ran below in clish -> [WARNING! Local Member] vsx-test-lab-s01-01:0> installer import local /var/log/jumbo/Check_Point_R82_JUMBO_HF_MAIN_Bundle_T14_FULL.tar

https://sc1.checkpoint.com/documents/Jumbo_HFA/R82/R82.00/R82_Downloads.htm

https://support.checkpoint.com/results/download/137326

After it imported, ran below:

WARNING! Local Member] vsx-test-lab-s01-01:0> installer in
[WARNING! Local Member] vsx-test-lab-s01-01:0> installer install
** ************************************************************************* **
** Hotfixes **
** ************************************************************************* **
Num Display name Type
1 R82 Jumbo Hotfix Accumulator Take 14

Info: Initiating install of Check_Point_R82_JUMBO_HF_MAIN_Bundle_T14_FULL.tgz...
Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)
Result: Package R82 Jumbo Hotfix Accumulator Take 14 was installed successfully.
[WARNING! Local Member] vsx-test-lab-s01-01:0>
Broadcast message from admin@vsx-test-lab-s01-01 (Sat Apr 26 14:26:17 2025):

The system is going down for reboot NOW!

Anyway, hope it helps anyone who may find themselves in similar situation.

Best,

Andy

Best,
Andy
0 Kudos
1 Solution

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-04-27 08:45 PM
Jump to solution

OK, so:

Scalable Platforms do not support installing patches from WebUI. This is because installation process accommodate all the SGMs in the group, and the WebUI doesn't allow for that. So you need to do it from gclish

What's gclish? It's global clish, You see in your output there a huge 'WARNING! Local Member' tag there. That's there because you shouldn't be configuring or patching anything in local clish when using a scalable platform. You should be in 'gclish' (it'll say 'Global' in the hostname) when doing pretty much anything. 

The normal 'installer' commands should work from gclish, so if you did an 'installer download etc' command from gclish, it will initiate the download of the patch on all active SGMs. If you download the patch and upload it to SGM1, and then in gclish on SGM1 do an 'installer import local etc' command, it will copy it to all active SGMs and then do the import. Now that the patch is imported on to all active SGMs, you can run the install from gclish, specifying which SGMs to install the patch on - do half at a time to avoid outages. I recommend you do the 'top' half first as it's a nicer workflow. So, 'installer install 1 member_ids 1_2' to install it on SGM2, then once it's patched and rebooted and active do it on SGM1. 

View solution in original post

11 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-04-27 06:50 AM
Jump to solution

I do have a vsx question for true vsx experts out there and please forgive me if this sounds like a DUMB question, but I cant seem to figure it out for the life of me : - )

I dont see an option in smart console when you create vsnext object to change web UI port to custom one, and when I do it from clish with set web ssl-port command to 4434 and save config, every time I reboot the box, it defaults back to 443...any idea if there is a way to keep the custom port?

@Lesley   @Timothy_Hall  @Chris_Atkinson 

Best,

Andy

Best,
Andy
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-04-27 01:32 PM
In response to the_rock
Jump to solution

I've yet to build a LAB (unless someone can tellme how to get this working in VMWare Workstation).
But I wondering it it may be  'g_' command.

I'm also curious to see how a SMO object works for managing different VSs.

Also surprise that jumbo can only only be installed in the traditional why for VSX.  I thought everything was done in the WEBUI now, and I guess for Jumbos in VS0, also if I'm correct you only should need to do this on the active now (if running ElasticXL).

What I don't know is if the old jumbo is uninstalled first then the new one is installed as I do this to ensure space is not lost over time.

 

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-27 01:52 PM
In response to genisis__
Jump to solution

See the video of what web UI looks like, no option anywhere to update jumbo or change port in smart console.

Andy

Best,
Andy
Preview file
5091 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-27 04:16 PM
In response to genisis__
Jump to solution

FWIW, I even changed to port 4434 instead of 443 in /web/conf/httpd2.conf, set ssp port in clish to 4434, rebooted, but it defaulted again to 443. I really believe thats how it is for VSX...but not 100% positive, just my logical assumption.

Andy

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-04-27 08:50 PM
In response to the_rock
Jump to solution

In old VSX there was never a web portal available to virtual systems, so the option to configure the port didn't exist. Seems it hasn't been added to VSNext configuration but there's a default '443' value in the policy so your manual config gets reverted when the policy is installed on reboot.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-27 09:10 PM
In response to emmap
Jump to solution

So is there any way to keep custom port for web ui that would survive the reboot?

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-04-27 06:27 PM
Jump to solution

Please submit feedback on the applicable documentation if it is unclear for you, see:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ScalablePlatforms_AdminGuide/Conte...

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-27 06:32 PM
In response to Chris_Atkinson
Jump to solution

Thanks Chris. I checked that doc yesterday as well, but cant find anything on eithewr web UI custom port or installing jumbo from web UI, so I can only logically assume its either not possible or not supported, or both : - )

Andy

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-04-27 08:45 PM
Jump to solution

OK, so:

Scalable Platforms do not support installing patches from WebUI. This is because installation process accommodate all the SGMs in the group, and the WebUI doesn't allow for that. So you need to do it from gclish

What's gclish? It's global clish, You see in your output there a huge 'WARNING! Local Member' tag there. That's there because you shouldn't be configuring or patching anything in local clish when using a scalable platform. You should be in 'gclish' (it'll say 'Global' in the hostname) when doing pretty much anything. 

The normal 'installer' commands should work from gclish, so if you did an 'installer download etc' command from gclish, it will initiate the download of the patch on all active SGMs. If you download the patch and upload it to SGM1, and then in gclish on SGM1 do an 'installer import local etc' command, it will copy it to all active SGMs and then do the import. Now that the patch is imported on to all active SGMs, you can run the install from gclish, specifying which SGMs to install the patch on - do half at a time to avoid outages. I recommend you do the 'top' half first as it's a nicer workflow. So, 'installer install 1 member_ids 1_2' to install it on SGM2, then once it's patched and rebooted and active do it on SGM1. 

the_rock
MVP Platinum
MVP Platinum
‎2025-04-27 09:12 PM
In response to emmap
Jump to solution

Thank you!

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-28 05:11 PM
In response to emmap
Jump to solution

Thanks Emma for amazing explanation, that was super helpful.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events