This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cosmos
Advisor
‎2023-03-20 05:45 PM
Jump to solution

This package is not supported by current Deployment Agent build

The only time I _ever_ need to update CPUSE / CPDA is to install hotfixes.

Is there any reason the agent is not included and installed as part of the hotfix, to mitigate the dependency?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-03-20 07:56 PM
Jump to solution

That's not exactly foolproof as you sometimes need the latest deployment agent to install the latest JHF, one not made available in a previous JHF. 
In any case, you can always download the Deployment Agent and install it offline here: https://support.checkpoint.com/results/sk/sk92449 

I believe we plan to start adding AutoUpdater content to the JHF for offline gateways.
Don't believe CPUSE is currently part of this. 

View solution in original post

(1)
Boaz_Orshav
Employee
Employee
‎2023-03-23 05:55 AM
Jump to solution

Notice that when using central deployment from Smart Console or central deployment tool (CDT) it's enough to have the latest DA on the management machine and it will be pushed automatically to the gateways.

 

View solution in original post

11 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-03-20 06:13 PM
Jump to solution

It should routinely self-update avoiding the dependency.

Is this on a machine that has internet access and a valid license or is isolated?

CCSM R77/R80/ELITE
cosmos
Advisor
‎2023-03-20 06:36 PM
In response to Chris_Atkinson
Jump to solution

Isolated. Practically all the environments I touch are. Except for maybe management IPS updates via proxy...

the_rock
Legend
Legend
‎2023-03-20 06:27 PM
Jump to solution

I agree with Chris, I never have to do this manually, its always auto-updated. I mean, periodically (maybe once a month, if that), I click on "check for update" in web UI, but usually does not return any new versions of CPUSE agent. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-20 07:56 PM
Jump to solution

That's not exactly foolproof as you sometimes need the latest deployment agent to install the latest JHF, one not made available in a previous JHF. 
In any case, you can always download the Deployment Agent and install it offline here: https://support.checkpoint.com/results/sk/sk92449 

I believe we plan to start adding AutoUpdater content to the JHF for offline gateways.
Don't believe CPUSE is currently part of this. 

(1)
cosmos
Advisor
‎2023-03-20 08:00 PM
In response to PhoneBoy
Jump to solution

Wouldn't it be smarter to include the dependent DA in the JHF itself, and install it as part of the HFA if required?

0 Kudos
_Val_
Admin
Admin
‎2023-03-21 06:48 AM
In response to cosmos
Jump to solution

Not really, considering you may need an updated DA to install a hotfix. As mentioned above, it is a separate type of software update.

cosmos
Advisor
‎2023-03-21 04:29 PM
In response to _Val_
Jump to solution

Of course, that is how it works today and likely a result of the packaging, process and architecture. And I understand it may not be simple to change the process to include the latest DA at the time the HFA is released to hopefully make the offline installation process a tiny bit simpler. It may not sound like much but anything we can do to reduce the amount of maintenance required adds value.

KISS

the_rock
Legend
Legend
‎2023-03-21 05:28 PM
In response to cosmos
Jump to solution

I think last part of you statement, I agree with 100%...anything to make upgrade process easier would help.

0 Kudos
Boaz_Orshav
Employee
Employee
‎2023-03-23 05:55 AM
Jump to solution

Notice that when using central deployment from Smart Console or central deployment tool (CDT) it's enough to have the latest DA on the management machine and it will be pushed automatically to the gateways.

 

Bob_Zimmerman
Authority
Authority
‎2023-03-23 07:34 AM
In response to Boaz_Orshav
Jump to solution

I found that out in the most annoying way possible when a new CPUSE version was in the "gradual deployment" stage. One of the members of the cluster I was trying to upgrade knew about it, but the other member and the management server did not yet. Not particularly hard to deal with. We just check for a new CPUSE build before using CDT and install it if there is one. It's ultimately just a little snag made more noticeable because of how smooth the process is otherwise.

Agreed that if CDT is usable in the environment, it's a great way to address this problem. My environment has a separate firewall between the management and the firewalls, and we had to allow CPRID through it. Now that we have it working, my team doesn't do any manual jumbo installations on firewalls anymore.

cosmos
Advisor
‎2023-03-27 06:06 PM
In response to Boaz_Orshav
Jump to solution

CDT is great, but often we are building new gateways that are not yet managed.

At the very least, it would be great if a link to the latest DA was provided with the HFA download, and as accessible as the HFA itself (no login is required to download the HFA, yet one is to download the DA?).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events