This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MartinTzvetanov
Advisor
‎2020-08-28 06:21 AM

Why deployment agent is a separate part of CPUSE

Hi,

I still hear people who patch their system with the latest hotfix without updating the DA and then **bleep** hit the fan. Why DA is a separate part of the update package? Why DA is not integrated in the package or why the hotfix does not check if the installed DA is the minimum required? 

6 Replies
PhoneBoy
Admin
Admin
‎2020-08-28 11:34 PM

The deployment agent is required to install update packages via CPUSE.
It’s always recommended to check for and install the latest deployment agent before installing any package.
Newer packages sometimes require updates to the Deployment Agent.
Maybe @Tsahi_Etziony or one of his team can provide some more details here.

0 Kudos
MartinTzvetanov
Advisor
‎2020-08-29 08:29 AM

I don't ask what DA does, I ask why it's a separate part from the hotfix. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-29 09:54 AM
In response to MartinTzvetanov

Not sure why technically speaking, which is why I tagged the R&D owner. 🙂

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-08-29 10:41 PM
In response to PhoneBoy

I would ask the same question this way:

If we can have Management API commands updated in newer jumbo, why we cannot get newer CPUSE deployment agent too ?

The same applies for LOM firmaware upgrade, cpinfo update,  cpm_doctor update.

Kind regards,
Jozko Mrkvicka
Boaz_Orshav
Employee
Employee
‎2020-08-30 10:47 PM
In response to JozkoMrkvicka

Hi

  I'm sorry for the inconvenience and indeed we are aware of this issue.

  For machines which are connected to download center the DA will update itself and if the self update is turned on, the DA will still notify or even block installations if it's not the latest.

  DA which is not connected to download center is not aware that a newer one was released. The Jumbo enforces a minimal DA but it's not always the latest.

  Adding the DA to the Jumbo itself is on our plans but technically has some edge cases, hence was not implemented so far.

Tsahi_Etziony
Employee
Employee
‎2020-08-31 01:28 AM

I'd like to add to what @Boaz_Orshav wrote.

The installation logic is divided between the DA and to the package itself. the advantage of having a separate DA is that when we find a bug, we don't have to update all the available packages.

Our biggest concern is the offline users, since the online users will always have the updated DA and there are lower chances that they'll encounter an issue. For offline users, even if we did put all the installation logic in the package - if we find a bug a fix it later on, they'd have to replace their package to avoid that bug. This is the same as updating the DA prior to the installation. Checking for a newer package prior to the installation is complicated if you have several packages to install, and especially if you have an internal certification process for each package. Checking for a newer DA is simpler. 

As Boaz mentioned - if we do find a bug or a missing feature that is required for a successful package installation prior to its release, we add the fix or the feature to a newer DA, and the package is released with a "minimum DA" value. the package won't allow the installation with an older DA than the set value.

One more thing - I mentioned that each package has a value of a minimum DA needed for its installation, but on top of that, online machines will not allow the installation of any package if there is a newer DA available, until that DA is updated on the machine. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events