HFA-04 upgrade on IP390 (flash) NGX R60

[paprichaat]

Hi,

Having problems tring to hotfix R60 on NGX60, all new out-the-box. Instructions refer to:

Verify that the files fw1_r60_591000xxx_1_IPSO.tgz and CPsuite.tgz exist, where
xxx indicates the original installed build number.
3) If ‘CPsuite.tgz’ does not exist in this directory, create it using the following command.
ln -sf fw1_R60_591000xxx_1_IPSO.tgz CPsuite.tgz

...Problem is the IPSO.tgz file isnt there and therfore the HFA install fails with the error that that I should install the firewall package 1st...but the package is installed and the firewall is operational...

BTW using IPSO 4.1 B16

Any ideas?

[northlandboy]

The problem is related to the way that Check Point was initially installed, and the way that the upgrade script works.

Remember that for flash-based platforms, it unpacks the package in /opt/packages/installed/ every time it boots, and puts the files in the appropriate locations under /opt/CPsuite-R60

So when a patch is installed, it needs to unpack that tarball, replace all the patched files, then pack it back up again. Depending on how you installed the initial package, you may have your firewall package as /opt/packages/installed/fw1_xxx.tgz, or it may be /opt/packages/installed/CPsuite.tgz.

The patch script is looking fo CPsuite.tgz. If it's not there, you can just create a symlink to the actual package, so the script works. What packages do you have under /opt/packages/installed?

[BarryStiefel]

Quote:

Originally Posted by northlandboy

The problem is related to the way that Check Point was initially installed, and the way that the upgrade script works.

Remember that for flash-based platforms, it unpacks the package in /opt/packages/installed/ every time it boots, and puts the files in the appropriate locations under /opt/CPsuite-R60

So when a patch is installed, it needs to unpack that tarball, replace all the patched files, then pack it back up again. Depending on how you installed the initial package, you may have your firewall package as /opt/packages/installed/fw1_xxx.tgz, or it may be /opt/packages/installed/CPsuite.tgz.

The patch script is looking fo CPsuite.tgz. If it's not there, you can just create a symlink to the actual package, so the script works. What packages do you have under /opt/packages/installed?

Again, northlandboy comes through, really knowing his stuff.

[northlandboy]

Quote:

Originally Posted by BarryStiefel

Again, northlandboy comes through, really knowing his stuff.

Thanks, but really it's just coincidental that I was going through this exact issue a few weeks back on my last contract.

One more thing I just thought of is that if the HFA script is complaining that you need to install the firewall package first, then make sure that you have enabled the package - do an echo $FWDIR to confirm it. If you've got a brand new box from Nokia, and you want to patch it before deployment, remember that they install the Check Point package, but don't activate it.

[abusharif]

the funny issue here is that there are several documents that explains the procedure, some from checkpoint, some only found on Nokias KB, that all explain the procedure in DIFFERENT way. For example Checkpoint released and made documents regarding this (release notes) that are only found on nokias KB and not vice versa. Nokias TAC was also a bit "ummmm" on the direct question which of those to follow.

[northlandboy]

Yeah, sometimes you'll see instructions for "flash-based platforms", but really they only refer to the IP265, which uses different methods for patching/installation/etc.

The documentation isn't always all that great (yet) for flash-based platforms, and some stuff you just have to work out yourself. Some things, like trying to work out which version of IPSO and which CP version you can use are a right PITA, as Check Point and Nokia's documentation is inconsistent. The answers you get from Nokia and CP support vary too, although I tend to trust Nokia's answers on Nokia-related questions.

You run into a few really silly mistakes too, like the bootstrap script where someone referred to Dallas (R60 codename) for the file locations, rather than using a variable for the version, like any half-decent script writer would. That's why you couldn't get cpsnmpd running on a flash platform for a while.

I think (hope) that these issues will be sorted out with the next few releases, as deployment of flash-based systems becomes more widespread.

[paprichaat]

In /opt/packages/installed I have the following:

*****************************
ls -al
total 46644
drwxr-xr-x 2 root 80 512 Oct 19 09:48 .
drwxr-xr-x 3 root wheel 512 Oct 19 09:42 ..
-rwxr-xr-x 1 root 80 22737 Mar 21 2006 BOOTSTRAP
-rw-r--r-- 1 root 80 59214 Oct 19 09:48 CPinfo.tgz
lrwxr-xr-x 1 root 80 28 Oct 19 09:48 CPsuite.tgz -> fw1_R60_59100045
8_1_IPSO.tgz
-rwxr-xr-x 1 root 80 2350 Nov 16 2005 REPLACE_BOOTSTRAP.sh
-rw-rw-r-- 1 root wheel 30720 Oct 18 16:01 Replace_bootstrap_sk31660.tar
-rw-r--r-- 1 root 80 47611354 Oct 19 09:43 fw1_R60_591000458_1_IPSO.tgz

******************
I think my attempted link (above) is wrong....
Thanks for your help.

Quote:

Originally Posted by northlandboy

The problem is related to the way that Check Point was initially installed, and the way that the upgrade script works.

Remember that for flash-based platforms, it unpacks the package in /opt/packages/installed/ every time it boots, and puts the files in the appropriate locations under /opt/CPsuite-R60

So when a patch is installed, it needs to unpack that tarball, replace all the patched files, then pack it back up again. Depending on how you installed the initial package, you may have your firewall package as /opt/packages/installed/fw1_xxx.tgz, or it may be /opt/packages/installed/CPsuite.tgz.

The patch script is looking fo CPsuite.tgz. If it's not there, you can just create a symlink to the actual package, so the script works. What packages do you have under /opt/packages/installed?