Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mart_Pirita
Participant
Jump to solution

When Will SmartConsole Support In-Place Updates?

Hi,

I have used CheckPoint since 2005 and I'm now pretty sure, that CheckPoint hates SmartConsole users, as in year 2019 it's impossible to upgrade CheckPoint SmartConsole, without uninstalling old CheckPoint SmartConsole. And in year 2019 this uninstalling does not give any option to save settings and fingerprints, like for example Juniper -s Pulse does.
Uninstalling CheckPoint console removes all settings and fingerprints but of course it does not remove installation folder C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 and later on new installer then gives error - "The installation directory provided is not empty and might contain previous installation files. To proceed with the installation, please clean this directory or select an empty folder".


Really? In year 2019 I must do it manually? What do you CP guys smoke? Investigated this a bit and it finally turned out, that folder C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 contained one empty folder "PROGRAM". After manually removing C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 folder, installer was happy.


But I'm not happy, as the console thinks I'm using it first time, so I must add all settings, again. Accept all servers fingerprints, again. Close the boring popup notifications, again. Etc. And as CheckPoint keeps constantly upgrade SmartConsole, I must deal with this installer issue quite often.
 
Conclusion - in year 2019 we are paying huge money to CheckPoint and in return we're getting lousy product and for comparision freeware tools can create better windows installer packages with better logic, but CheckPoint can't or won't.

86 Replies
Sven_Glock
Advisor

Hi Tomer,

do you have any updates regarding the planned release of updateable SmartConsole?

Thanks in advance!

Cheers
Sven

Tal_Paz-Fridman
Employee
Employee

Hi,

Adding @Tomer_Noy and @Alon_Alapi 

0 Kudos
PhoneBoy
Admin
Admin

There have been some internal EAs of this, but I don't think it's quite ready for GA yet.

0 Kudos
Tomer_Noy
Employee
Employee

Indeed. We did a few initial EAs, but got some negative feedback on aspects of how it behaves. 

It's important to us to meet the expectations and requirements of the field and take that feedback seriously. Unfortunately, to resolve those issues, we need to take apart something at core of the implementation, so it's setting us back. 

I will update once we have something to share, and hopefully open the next iteration to EAs with Check Mates contributers.

Once available, we still plan to release this package for existing versions (such as R80.40 and soon R81). We will not wait for the next maintrain.

0 Kudos
Tomer_Noy
Employee
Employee

I'm glad to share a positive update 😀

After some redesign, we improved the implementation and are ready to share the updatable SmartConsole as a public EA and get wider feedback from the field.

You can grab the R81 updatable SmartConsole in this post:
https://community.checkpoint.com/t5/General-Management-Topics/Updatable-SmartConsole-Early-Availabil... 

Even if you don't have an R81 Management Server, you can launch it and connect to Demo Mode. You will still experience the auto-update flow.

Please share your feedback on that post to help us reach GA quickly.

As discussed before, we will make R80.40 updatable as well.

marki
Contributor

> As discussed before, we will make R80.40 updatable as well.

I have upgraded to the latest R80.40 JHF SmartConsole recently, and from what I see there was no in-place upgrade.

However, our SMS is not on the latest JHF. Does that matter?

Is it implemented in R80.40 at all as described?

0 Kudos
Tomer_Noy
Employee
Employee

Eventually, the SmartConsole updatability feature made it into R81 and above.

We've released many updates for those versions and overall, gotten good feedback.

I highly recommend to all customers to adopt R81.10 on their management as that version is superior in quality, performance and features compared to all our previous versions.

0 Kudos
cosmos
Advisor

I came here to inquire about the automatic update feature in R81.10 and was hoping that the "Install Now" button would prompt the install process. While admin rights are required, no UAC prompt is presented. This requirement highlights a larger issue of still relying on a 32-bit Windows application for managing a security product in 2023.

While I understand the concern around using browsers for management due to security risks, practicing good opsec and limiting access can mitigate these risks. Additionally, running client-based software for security infrastructure can increase management overhead and potential risk if not deployed properly - either you allow users to download and install the client, which implies both Internet access AND local admin, or deploy via software management which can be frustrating when you need a console update to fix a bug that's preventing you from completing a migration or upgrade in a 2am change window.

I sympathize with the frustration expressed by other users in this thread, especially those in large deployments and sensitive environments where security administrators have limited control over software applications (another good security practice).

0 Kudos
the_rock
Legend
Legend

My experience has been sort of, lets just say, inconsistent. Other customers told me the same thing...so sometimes, and this really has nothing to do with the version, auto update in smart console will come up, then other times it wont, then if you reboot the PC that dashboard is installed on, it may work again to update, then when mgmt version is updated, its very spotty again...so to conclude, its all over the place. I will say, in R81.10 it has been better, but still not 100% working. So far, only one smart console version in R81.20, so cant really compare it to anything.

I dont know, MAYBE in R82 it will finally work right? Only time will tell : - )

cosmos
Advisor

Sounds like the planets were misaligned or you used the wrong finger on the mouse button. I like to include astrological alignment as a prerequisite for upgrades and migrations.

My experience across the board defies Einstein insanity - do the same thing, expect different results (I'm looking at you, reset_gw)

the_rock
Legend
Legend

Im sure if Einstein was alive, he would fix this issue in 2 days 🙂

Dan_Zaidman
Employee
Employee

The update is rolled out gradually and should be completed within 1 week, for R81.20 jumbo, it will be available for everyone at 15/3.

0 Kudos
the_rock
Legend
Legend

Thanks @Dan_Zaidman . Just curious, for my own information, not sure how that works exactly, does it get rolled out by regions or is there another criteria?

Cheers,

Andy

0 Kudos
Dan_Zaidman
Employee
Employee

No, it's random.

the_rock
Legend
Legend

Ok, thanks a lot for confirming that, as I also had some clients ask me about it, so that answer makes sense now.

Cheers and have a great rest of your day 💪💪

Andy

0 Kudos
Omer_Ran
Employee
Employee

Hi Cosmos,

Can you please elaborate on the issue you're describing?

When you click the "Install now" button, does nothing happen, or does it eventually install the update without displaying the UAC prompt?

The UAC dialog is not displayed by SmartConsole (or any other program), but rather by Windows, when a process with normal privileges tries to execute another process "as administrator". There are two scenarios where the UAC prompt is not needed, and SmartConsole update is downloaded and installs without user interaction - 

1. SmartConsole is already running "as administrator" (this can also happen if launching SmartConsole at the end of SmartConsole's installer)
2. SmartConsole is installed in a location that doesn't require admin permissions for write-access by the current user.

If you are getting the "Install Now" prompt but not the UAC prompt, this is something we haven't encountered yet. Are you running SmartConsole on Windows 11 by any chance? 

0 Kudos
cosmos
Advisor

Hello Omer

This is SmartConsole 81.10.9600.410, running Windows 10 Enterprise Virtual Desktop. It's a non-persistent desktop so I don't expect the upgrade to persist - that has to be done on the image the desktop is spawned from.

That aside, the process is run in the context of the logged in user which is not an administrator, and the application is installed in a location that only SYSTEM and Administrators have write access to.

The UAC icon (windows shield) appears on the "Install Now" button under the Update menu, suggesting admin privileges are required, however on clicking the button nothing happens - no UAC prompt or indication an installation is running.

Oddly, when I log back into a freshly spawned VDI (i.e. any previous attempts to upgrade would have been abandoned), the update menu states "SmartConsole has successfully updated" and instead of "Install Now" we get the option to "Relaunch Now" and keep the session open. On doing so, "SmartConsole has experienced a serious problem and needs to relaunch."

On restarting the console, "A new SmartConsole is ready to install", rinse and repeat.

I have since noticed a "Program" folder in C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\ which I believe is a directory junction to the latest version, in this case there is still only one version (81.10.9600.410):

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/03/2023 8:54 AM 81.10.9600.410
d----l 29/11/2022 1:06 PM PROGRAM
-a---- 18/10/2022 4:55 PM 9662 logo.ico
-a---- 18/10/2022 4:55 PM 229 XInstall_names.conf

29/11/2022 01:06 PM <JUNCTION> PROGRAM [C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\81.10.9600.410]

Assuming that when an update is installed in the base directory, the PROGRAM junction is updated to point to it.

In this case no update was ever installed, despite the console messages.

PS: there appears to be a bug in the Check Mates forum that continuously steals focus from this text entry dialog, possibly related to the flashy banners at the top of the page. As if the forum developers took a leaf out of the SmartConsole bug book.

(1)
the_rock
Legend
Legend

@Omer_Ran ...I think what @cosmos and myself are saying is what 1000s of CP customers are thinking, which is "Fix the smart console update" lol

I had same "episode" with NAT rules hit count couple of years back...so TAC told us its fixed in R81 version, great, client upgrades whole environment, works maybe 10% of the time. TAC tells us "Yea, sadly, R&D confirmed its not consistent". (deep sigh)

Time goes by, we are told its fixed 100% in R81.10...customer upgrades, works, if you are lucky, MAYBE 40% of the time...FINALLY, I see it works 100% of the time in R81.20, literally 2 years later. Now, put yourself in customer's shoes...how would you feel? Trust me, you would be annoyed, at least a little bit 🙂

_Val_
Admin
Admin

@the_rock please stay on topic. Your comment above has nothing to do with the subject of the original post.

There is a different space in the community where you are welcome to vent at any time. In the main space, please focus on technology-related discussions. 

Thanks for your understanding.

0 Kudos
marki
Contributor

Hmm. I just downloaded a newer JHF for our R81.20 SmartConsole and the installer still gives me:

sc8120installed.jpg

0 Kudos
Amir_Senn
Employee
Employee

Usually in past versions, if you are running full installation you need to uninstall before installing a new one.

R81.20 SmartConsole is auto-updating. It's annoying really but you need to surrender yourself and update SmartConsole.

You didn't see those update windows? What build are you running? Mine was currently updated to build 9700.651.

Kind regards, Amir Senn
0 Kudos
marki
Contributor

Where does it update from? Our mgmt machines obviously don't have internet connectivity.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Do you refer to the machine that is running SmartConsole (which is different from the Security Management Server)?

marki
Contributor

Yes.

Tal_Paz-Fridman
Employee
Employee

If it is not connected to the Internet it would obviously not be able to update.

If you are trying to cut down the installation time you might want to consider using Portable SmartConsole.

0 Kudos
cosmos
Advisor

Just a thought - since a management server requires Internet access for IPS updates and licensing, why not update the console via the server? CPDA can already download the package although not all users have access to the web UI to reach it, or admin rights to install. If the client updates over the existing control connection there would be no need for additional accesss or logins - although ultimately this is where SmartConsole should be heading - a single, integrated web UI to manage all the things.

Hosting the client and updates on the server would ensure clients always have the current supported version, even better if one could use their SmartConsole credentials on a web-ui to access it (not their Gaia OS credentials, let's save that for another 100 post thread).

Go!

the_rock
Legend
Legend

I second those thoughts @cosmos 👍

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events