- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Afternoon all
I'm trying to update an R81 Manager via Smart Update....
SmartUpdate > Packages > Add > From File
I kept on rejecting the attempt with the below error:
As that was failing I thought I'd use GAIA CPUSE, which worked fine. This lead me to think that I add it this way to the manager then it will become available in the Repository in SmartUpdate, but still no sign of it.
Has anyone used this method to upgrade / update before? My aim is to remotely update the managed gateways direct from the manager.
Many thanks
Anthony
No ! See Security Management R81 Administration Guide p.138: Central Deployment of Hotfixes and Version Upgrades
Adding a package to the Package Repository
From the left navigation panel, click Manage & Settings.
From the left tree, click Package Repository.
Click New and select one of these options:
- Download from cloud - To download the package to the Package Repository from the Check Point Cloud, enter the package name and click Download.
- Upload from local - To upload the package to the Package Repository from your device, browse to the applicable package and click Open.
After the download or upload is complete, the package appears in the Package Repository window in SmartConsole > Manage & Settings view.
The "gateway upgrade" portion of SmartUpdate (including the Package Repository) is not integrated at all with CPUSE and is very old. I haven't utilized that feature of SmartUpdate in many years, but overall CPUSE works well if you have the latest Deployment Agent and that is what you should use. It also appears that the license management function of SmartUpdate (which is still quite relevant today) is slowly being integrated into the main SmartConsole in the latest releases and Jumbo HFAs, so it would appear SmartUpdate's days are numbered anyway.
That is very true, Timothy ! Here, i would just stay with the Dashboard instead of using several CPUSE WebGUIs 😎:
But this manual process will download the Jumbo on every GW - if you have many GWs, you can use sk111158: Central Deployment Tool (CDT)
Yes, that is true, we have a selectable package location source - i can then do Action > Install HF using the Jumbo from SMS !
I see this now.... I've never used the central deployment from the Smart Update console so assumed when I had the right version of R80 or 81 then that was it!..... hadn't done my research!
It seems you can only get the JHF's from Checkpoint download centre via this method so the machine has to have Internet access. Unfortunately this particular install is air-gapped and can't reach the Internet.
No ! See Security Management R81 Administration Guide p.138: Central Deployment of Hotfixes and Version Upgrades
Adding a package to the Package Repository
From the left navigation panel, click Manage & Settings.
From the left tree, click Package Repository.
Click New and select one of these options:
- Download from cloud - To download the package to the Package Repository from the Check Point Cloud, enter the package name and click Download.
- Upload from local - To upload the package to the Package Repository from your device, browse to the applicable package and click Open.
After the download or upload is complete, the package appears in the Package Repository window in SmartConsole > Manage & Settings view.
Ah! Thank you.
Wow. I've seen people put hardware information in hostnames, but that's a whole other level. This box is in a lab, surely?
Of course 😎
We changed to CPUSE packages back in the R77 timeframe.
SmartUpdate does NOT use this mechanism.
The only thing you can update using this mechanism is legacy SMB appliances running R77.20.x code.
In R81 you should be able to manage licenses and CPUSE packages from SmartConsole itself (not using SmartUpdate).
Contracts or management of licenses offline might be the only reason to use SmartUpdate at this point.
Ah I was wondering if the SmartUpdate upgrading capability was even still supported any more, thanks for the clarification.
Maybe the original name of "SmartUpdate" is little bit confusing now. It WAS used in the past for updates, but nowadays mostly as licensing tool, so maybe correct name should be "SmartLicense". Not sure if this should be considered in the future, as starting from R81 there shouldnt be use case for SmartUpdate...
Ultimately, the goal is to completely deprecate SmartUpdate.
Right now, the only reasons to still use SmartUpdate in R8x are specific to licensing in specific scenarios per sk149872:
The packages never show up in our Domains/CMA's. I have uploaded the packages in the global domain and the pushed this out to our 5 MDS servers with 60+domains. When I open the SmartConsole for the domain level, the packages are empty. If you try and upload via local it gives an error stating this must be done via the global repository. For me this has become a useless tool in R81.10. Also the command line version of CDT has had a 50% failure rate. I even upgraded to 9.5 and i can run a generate and no candidates will show up. Yes the mdsenv is correct and the model is on the hardware list. I can open a browser to the GW and do it manually fine via CPUSE. I am a little frustrated because as soon as we upgraded the MDS servers to R81.10 all it broke CDT.
Hi Michael,
i think we can investigate the issues in your environment and solve it so you can use both CDT and Central Deployment from Smart Console.
can you please collect the following logs and send me via email?
send the collected logs to mahmods@checkpoint.com
i will investigate it and update you ASAP.
Thanks.
I have opened a case with our Diamond Support Engineer.
I was mainly posting this in Checkmates to see if anyone else had the same issue.
CheckPoint has replicated the issue in the their lab. It appears to be a sync issue with regarding MDS servers in an HA environment. The packages are not replicated to the other MDS servers. So at this time we are waiting for R&D to resolve the issue.
So how in the world does something like CDT GUI not get tested with multiple MDS servers? Check Point has to assume that the majority of their customers have more than one MDS server. Especially the larger customers that manage 100's of firewalls where we need something like CDT to help with faster upgrades and patch deployments.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY