Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
oconnork
Contributor

Cannot use the Central deployment tool on R80.40 gateways

Jump to solution

Hello team,

 

when I try to use the CDT on gateways R80.40, I have the following message and the execution stop.


************************************************
An error has occurred in stage DA cloud packages prevention of machine cnlgnfwa0002:

Error code 31 - CPUSE cannot be prevented from searching for new packages while installing.
Try again and Contact Check Point support if this problem persists.

 

When I look deeply in log files I can see this error : 

Error code 41 - Error executing a CPUSE operation on a remote machine.
************************************************

Mon Sep 26 09:37:14 2022 *N* [Main]: Restoring initial configuration on dehnvfwa0002 - DA cloud packages prevention
Mon Sep 26 09:37:15 2022 *E* [Main]: DA cloud packages prevention Cleanup error:
************************************************
Invalid format in da_cli response.
Error: Parameter is not a valid configuration key, please make sure argument list is correct and match allowed keys.[PING_TRACE,PING_DEBUG,IS_INSTALLED_HOTFIXES_SEND_DISABLED,ENFORCE_NEW_DA,FORCE_OFFLINE]


Try again and Contact Check Point support if this problem persists.

Details:
--------
The build of the installed Deployment Agent must be 2131 or higher.

 

 

I would like to add that the same Deployment plan works on R80.20 gateways but fails only on R80.40 :(. 

I'm using the CDT to update the deployment agent because my gateway don't have access to internet/Checkpoint Cloud. 

But it looks like the CDT needs the DA updated to be used, Am I correct ?

If yes, I believe that it will means that I will have to upload the file manually on all gateways and install it manually on them and then I will be able to use the CDT, is that also correct ? 

Is there a way to bypass that check and let me use the CDT to at least just install the latest DA first  ?

I also tried to do the simpliest  deployment plant to install the latest DA but I still have the same error message. 

here my CDT to install latest DA : 

<CDT_Deployment_Plan>
<plan_settings>
<name value="Test install DA" />
<description value="This DP is to install DA" />
<update_cpuse value="false" />
<connectivityupgrade value="false" />
</plan_settings>
<push_file local_path="/home/admin/DA/DeploymentAgent_000002229_1.tgz" remote_path="/var/log/DeploymentAgent_000002229_1.tgz" />
<execute_command command="clish -c 'installer agent install /var/log/DeploymentAgent_000002229_1.tgz'" />
<execute_command command="rm /var/log/DeploymentAgent_000002229_1.tgz" />
<log level="NORMAL" value="Logs script" />
</CDT_Deployment_Plan>

 

Thanks in advance for your replies,

0 Kudos
1 Solution

Accepted Solutions
oconnork
Contributor

Exactly what I thought.

I modified the script given here : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... to match my need.

Here it is if It can help someone else :

This script can be used to install a deployment  agent package on multiples gateways

To make this script work, add as an argument a text file named gatewaysIP.txt :
./scriptname gatewaysIP.txt
Inside the text file gatewaysIP.txt, add the IP of each gateways on where the script need to be run. 

If you use a MDS environement, you must enter in the domain before running the script :

mdsenv domain_IP.

 

On the script, modify theses variable to match with the path of your deployment agent to be installed : 

$path = the path where your deployment agent is 

$file = the exact filename (with extension) of the deployment agent to be installed

 

 



#!/bin/bash
source /etc/profile.d/CP.sh

LOGFILE=mylog.txt
touch $LOGFILE

echo "==================================" >> $LOGFILE
echo "$(/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss)" >> $LOGFILE
echo "==================================" >> $LOGFILE


if [ $# -eq 1 ]
then
GATEWAYS="$1"
else
echo " Please, add the text file as an arguments"
exit 1
fi


which cprid_util 1> /dev/null 2> /dev/null
if [ "$?" -ne 0 ];
then
echo -e "\nCould not find the 'cprid_util' executable. Exiting..." | tee -a $LOGFILE
exit 1
fi

if [ ! -f gatewaysIP.txt ];
then
echo "Could not find the list of managed Security Gateways -" | tee -a $LOGFILE
echo "the 'gatewaysIP.txt' file in the current directory $(pwd)" | tee -a $LOGFILE
exit 2
fi

path="/mypath/"
file="DeploymentAgent_000002229_1.tgz"
filetosend=$path$file

remotepath="/var/log/"
remotefile=$remotepath$file

input="clish -c 'show installer status build' && clish -c 'installer agent install $remotepath' && rm $remotepath && clish -c 'show installer status build'"


while read GATEWAY
do
echo -n "$GATEWAY;" | tee -a $LOGFILE
echo $(cprid_util -server $GATEWAY -verbose putfile -local_file $filetosend -remote_file $remotefile) | tee -a $LOGFILE
echo $(cprid_util -server $GATEWAY -verbose rexec -rcmd /bin/bash -c "hostname && echo -n ';' && $input") | tee -a $LOGFILE
done < $GATEWAYS

 

 

View solution in original post

6 Replies

Not sure about bypassing the check. Absolute worst case, you could use cprid_util to copy the new Deployment Agent to the destinations and install it. It would be a bit more manual than CDT, but not hugely so. Something like this:

cprid_util -server <Firewall IP> putfile -local_file "/home/admin/DA/DeploymentAgent_000002229_1.tgz" -remote_file "/var/log/DeploymentAgent_000002229_1.tgz" -perms 0444
cprid_util -server <Firewall IP> rexec -rcmd clish -c \"installer agent install /var/log/DeploymentAgent_000002229_1.tgz\"
cprid_util -server <Firewall IP> rexec -rcmd rm /var/log/DeploymentAgent_000002229_1.tgz
0 Kudos
oconnork
Contributor

Exactly what I thought.

I modified the script given here : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... to match my need.

Here it is if It can help someone else :

This script can be used to install a deployment  agent package on multiples gateways

To make this script work, add as an argument a text file named gatewaysIP.txt :
./scriptname gatewaysIP.txt
Inside the text file gatewaysIP.txt, add the IP of each gateways on where the script need to be run. 

If you use a MDS environement, you must enter in the domain before running the script :

mdsenv domain_IP.

 

On the script, modify theses variable to match with the path of your deployment agent to be installed : 

$path = the path where your deployment agent is 

$file = the exact filename (with extension) of the deployment agent to be installed

 

 



#!/bin/bash
source /etc/profile.d/CP.sh

LOGFILE=mylog.txt
touch $LOGFILE

echo "==================================" >> $LOGFILE
echo "$(/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss)" >> $LOGFILE
echo "==================================" >> $LOGFILE


if [ $# -eq 1 ]
then
GATEWAYS="$1"
else
echo " Please, add the text file as an arguments"
exit 1
fi


which cprid_util 1> /dev/null 2> /dev/null
if [ "$?" -ne 0 ];
then
echo -e "\nCould not find the 'cprid_util' executable. Exiting..." | tee -a $LOGFILE
exit 1
fi

if [ ! -f gatewaysIP.txt ];
then
echo "Could not find the list of managed Security Gateways -" | tee -a $LOGFILE
echo "the 'gatewaysIP.txt' file in the current directory $(pwd)" | tee -a $LOGFILE
exit 2
fi

path="/mypath/"
file="DeploymentAgent_000002229_1.tgz"
filetosend=$path$file

remotepath="/var/log/"
remotefile=$remotepath$file

input="clish -c 'show installer status build' && clish -c 'installer agent install $remotepath' && rm $remotepath && clish -c 'show installer status build'"


while read GATEWAY
do
echo -n "$GATEWAY;" | tee -a $LOGFILE
echo $(cprid_util -server $GATEWAY -verbose putfile -local_file $filetosend -remote_file $remotefile) | tee -a $LOGFILE
echo $(cprid_util -server $GATEWAY -verbose rexec -rcmd /bin/bash -c "hostname && echo -n ';' && $input") | tee -a $LOGFILE
done < $GATEWAYS

 

 

That script as written requires an argument, which it then reads as a file. It also requires a file named "gatewaysIP.txt" to exist, but it doesn't use it for anything. Might want to pick one way or the other. 😉

It's also hard-coded to only work with the one Deployment Agent package. When 2234 or whatever comes out, you would need to edit the script to distribute it.

Neither of these is really a big problem. I just think they're worth documenting in case anybody comes along later and is confused by why this exact script does something they didn't expect.

0 Kudos
oconnork
Contributor

You are right, I modified my post to details how to execute the script. 

But you may also use this script to have a good start to run commands on multiples gateways. 

For the ones that would want to run whatever commands on multiples remote gateways, you can use almost the same script.

See the below script, just modify the variable input and put the command you want to run on your gateways.
the outputs will be something like this : 


==================================
26-Sep-2022_16h-06m-21s
==================================
10.X.X.X;gateway1 ;This is Check Point's software version R81.10 - Build 020
10.X.X.X;gateway2 ;This is Check Point's software version R81.10 - Build 020

...

 

#!/bin/bash

LOGFILE=mylog.txt
touch $LOGFILE

echo "==================================" >> $LOGFILE
echo "$(/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss)" >> $LOGFILE
echo "==================================" >> $LOGFILE


if [ $# -eq 1 ]
then
GATEWAYS="$1"
else
echo " Please, add the text file as an arguments"
exit 1
fi


which cprid_util 1> /dev/null 2> /dev/null
if [ "$?" -ne 0 ];
then
echo -e "\nCould not find the 'cprid_util' executable. Exiting..." | tee -a $LOGFILE
exit 1
fi

if [ ! -f gatewaysIP.txt ];
then
echo "Could not find the list of managed Security Gateways -" | tee -a $LOGFILE
echo "the 'gatewaysIP.txt' file in the current directory $(pwd)" | tee -a $LOGFILE
exit 2
fi

# Change here the fw ver by the command you want to run on the gateways
input="fw ver"

while read GATEWAY
do
echo -n "$GATEWAY;" | tee -a $LOGFILE
echo $(cprid_util -server $GATEWAY -verbose rexec -rcmd /bin/bash -c "hostname && echo -n ';' && $input") | tee -a $LOGFILE
done < $GATEWAYS

 

0 Kudos
Will_H
Contributor

I would say your deployment plan isn't quite right or maybe this is just a scenario you are testing..

If you want to just move a file I have given example deployment plan for that below. This is just an example, b/c if you really wanted to move this file to a gateway and import it into the repository you would use this command in the deployment plan, <import_package path="/home/admin/Check_Point_R81.10_T335_Fresh_Install_and_Upgrade.tar" />

  1. I only use advanced deployment plans, the regular never really seemed to fit the bill.
  2. If the main objective is to insure the cpuse agent is updated, then CDT will do that for you automatically no need to write those steps out in your deployment plan
  3. This setting in the deployment plan <update_cpuse value="true" /> will update the CPUSE agent
    1. I think this is the same version & file from the management station. I too need to confirm this point with Checkpoint

 

<?xml version="1.0" encoding="UTF-8"?>
<CDT_Deployment_Plan>
<plan_settings>
<name value="Example Deployment Plan" />
<description value="Example Deployment Plan - Move a file" />
<update_cpuse value="true" />
<connectivityupgrade value="true" />
</plan_settings>

<!-- Move a file to gateway -->
<push_file local_path="/home/admin/Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T66_FULL.tar" remote_path="/var/log/upload/Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T66_FULL.tar" />

<!-- Notifications during execution -->
<log level="NORMAL" value="I Moved this File for you" />

<!-- Create a log -->
<log level="NORMAL" value="All Done." />

</CDT_Deployment_Plan>

0 Kudos
oconnork
Contributor

The CDT use the internet access of the gateway to update the DA and my gateways don't have Checkpoint Cloud/internet connectivity so this is why I am sending manually the DA to the gateways.

But the CDT need the DA to be already updated on the gateways to be used on them so this is why I'm using such a workaround.

0 Kudos