PDA

View Full Version : Hotfix and Migration tool



zarcoff
2018-10-26, 16:20
Hi All,


I have not used this forum or Checkpoint for years.

So I would like some advice from the Checkpoint guys.

1. How do I install a Hofix in Gaia with no internet access, Unixinstaller no longer works?

2. At present I have 3 SMS and 3 clusters, I would like to migrate all the rules to one SMS then upgrade to R80.0.
what is the best process?


thanks
Zarcoff

Jejerod
2018-10-26, 18:29
Hi All,
1. How do I install a Hofix in Gaia with no internet access, Unixinstaller no longer works?

If it is a Legacy Hotfix, it should still come with a UnixInstallScript. If it is a CPUSE Package, you'll need to import it via Platform Portal or clish ("installer" commands) and then apply it.



2. At present I have 3 SMS and 3 clusters, I would like to migrate all the rules to one SMS then upgrade to R80.0.
what is the best process?

I have never used it, but you may want to take a look at cp_merge (sk33751 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33751&partition=General&product=Security)). Note that merging should be done before upgrading to R80.x, the sk is only valid for R77.30 and some versions lower than that.

I've also imported Network Objects from ConfWiz output to R80.x Management API, that way you get at least the Objects, but not the Policy itself. This may be an option for small access-only Policies, especially if you plan to re-make them using R80.x features like inline layers or zones.

Hope that gave you some ideas.

zarcoff
2018-10-28, 08:14
Hi Jejeno,



Thanks for the reply.


for the Jumbo Hotfix, can I have step by step instructions please as the ./Unixinstall command does not work.

am using Gaia and like to install using clish.

I will be using cp_merge.


Thanks
Zarcoff

mcnallym
2018-10-29, 08:06
First thing you need to do is make sure that your Deployment Agent is the current one.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All"#Introduction

Is what you want to review.

Has sections on updating the CPUSE Deployment Agent.

It also has sections on how to import the CPUSE Package then how to install

Covers using the Gaia Portal as well as using CLISH to perform the work.

If is a legacy as in a Non-CPUSE package then should have the UnixInstallScript when you expand the tgz file.

Most of the patching is done via CPUSE these days so you want to familiarise yourself with CPUSE.

Bob_Zimmerman
2018-10-29, 10:39
For specific commands, I generally copy the current CPUSE and the JHFA I want to install to the box using SCP. I put them in /home/admin, then run these commands:


tar -zxvf DeploymentAgent_*
rpm -Uhv --force CPda-00-00.i386.rpm
killall -v clish clishd
tellpm process:confd
tellpm process:confd t
$DADIR/bin/dastart
clish
installer import local /home/admin/Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
installer install Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
Everything before 'clish' is for updating the deployment agent. You may need to wait a little while after issuing the 'dastart' before entering clish to be sure the installer service is up and running. The last two commands will need to be modified based on the specific fix you are installing.

And of course, once the system comes back up after rebooting, you should clean up the /home/admin directory.

cciesec2006
2018-10-30, 12:55
For specific commands, I generally copy the current CPUSE and the JHFA I want to install to the box using SCP. I put them in /home/admin, then run these commands:


tar -zxvf DeploymentAgent_*
rpm -Uhv --force CPda-00-00.i386.rpm
killall -v clish clishd
tellpm process:confd
tellpm process:confd t
$DADIR/bin/dastart
clish
installer import local /home/admin/Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
installer install Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
Everything before 'clish' is for updating the deployment agent. You may need to wait a little while after issuing the 'dastart' before entering clish to be sure the installer service is up and running. The last two commands will need to be modified based on the specific fix you are installing.

And of course, once the system comes back up after rebooting, you should clean up the /home/admin directory.

Wow, that look exactly what I had. I probably posted this on CPUG almost two years ao :-)

Actually December 2016: https://www.cpug.org/forums/showthread.php/21183-sk93587-monitord-high-CPU?highlight=rpm+-Uhv+-force+CPda-00-00.i386.rpm

Bob_Zimmerman
2018-10-30, 14:18
Wow, that look exactly what I had. I probably posted this on CPUG almost two years ao :-)

Actually December 2016: https://www.cpug.org/forums/showthread.php/21183-sk93587-monitord-high-CPU?highlight=rpm+-Uhv+-force+CPda-00-00.i386.rpm

The Deployment Agent part is straight from SK.

The jumbo HFA part is a little different, because you can install the fix by name instead of by number. The number is unpredictable, so I prefer to use the name in scripts like this. That way, I can hand it to anybody (even my stupid 3AM self) and it will run reliably without the person needing to look at anything or make a decision.