- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello all,
Not all companies are allowed to have internet access for their managements and gateways. With internet access, installing the latest Jumbo or even upgrade to Major releases is just one command. What just comes to my mind is the idea that CPUSE can be used in case there is no internet access, but you can choose whether use internet or some internal IP address where will be stored all needed packages.
Something like 2 new CPUSE commands:
1. set installer source internet
2. set installer source local <IP_ADDRESS>
In case admin would like to use a local repository, CPUSE will connect to the server over https and download packages from there.
I am fully aware that a similar idea is already created by Central Deployment Tool (CDT) or using SmartUpdate.
What is even better is to use dedicated API and later UI like was mentioned by @Dorit_Dor.
No.
I am just thinking aloud here 😄
What would be an even better idea is to have a single machine which will have internet access and can download and serve all needed packages for internal managements and hosts.
Example:
I will deploy 1 VM which will have 2 interfaces - one WAN (Internet) and second LAN (internal).
This VM can connect via WAN interface to Check Point CPUSE download servers and download all needed packages which can be then served over LAN interface for all internal stuff.
All internal managements and gateways can configure the source of all CPUSE packages as that VM, over LAN interface. No need to have internet access for all management and gateway, just 1 VM will have internet access.
Addressing these types of requirements was part of the vision of "Private ThreatCloud" deployments, please discuss with your local SE for the latest information if it's of interest.
This challenge i've simply resolved by having linux server where i download packages from CP and then just gateways via curl_cli download package and import it to CPUSE.
Yes, that is just a simple approach that makes sense. In smaller environments, a PC with local and internet access, Putty and WinSCP will do the same trick. Although the proposed two new commands seem simple, a local server for CPUSE packages (all currently available, including all flavors of large BLINK files) does to really...
@JozkoMrkvicka - thanks for the interesting suggestion. We completely understand the need to have a fully functioning CPUSE even in environments where GWs are not connected to the outside world.
It is quite complicated to add these commands to CPUSE and have CPUSE connect to a different file storage, because CPUSE does not use the Check Point cloud as a simple file storage, and there is a protocol that is used to control which packages are offered to which machine.
One option is indeed PTC, but I think this might be an overkill for this simple use case. another option is to use CDT to push the relevant packages to CPUSE, or manually ask CPUSE to import the relevant packages.
You wrote "What is even better is to use dedicated API and later UI like was mentioned by @Dorit_Dor.", and this is exactly where we are heading. Indeed we are about to release central deployment capabilities that will be available from Smart Console and hopefully will make your experience a lot simpler. The first phase will require both the management server and the GW to be connected to the cloud, but our road map focuses on more isolated environments - we will add a repository to the management, and also allow the management to serve as a proxy for the GWs' Deployment Agent (CPUSE).
But I will also check if we can use the development of the management repository and allow any file storage repositories like you suggested, and then we will be able to add these commands.
Thank you @Tsahi_Etziony for your response and feedback !
Looking forward to seeing some improvements in CPUSE area 🙂
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY