CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: Hotfix and Migration tool

  1. #1
    Join Date
    2006-07-06
    Posts
    133
    Rep Power
    13

    Default Hotfix and Migration tool

    Hi All,


    I have not used this forum or Checkpoint for years.

    So I would like some advice from the Checkpoint guys.

    1. How do I install a Hofix in Gaia with no internet access, Unixinstaller no longer works?

    2. At present I have 3 SMS and 3 clusters, I would like to migrate all the rules to one SMS then upgrade to R80.0.
    what is the best process?


    thanks
    Zarcoff

  2. #2
    Join Date
    2012-07-19
    Posts
    98
    Rep Power
    7

    Default Re: Hotfix and Migration tool

    Quote Originally Posted by zarcoff View Post
    Hi All,
    1. How do I install a Hofix in Gaia with no internet access, Unixinstaller no longer works?
    If it is a Legacy Hotfix, it should still come with a UnixInstallScript. If it is a CPUSE Package, you'll need to import it via Platform Portal or clish ("installer" commands) and then apply it.

    Quote Originally Posted by zarcoff View Post
    2. At present I have 3 SMS and 3 clusters, I would like to migrate all the rules to one SMS then upgrade to R80.0.
    what is the best process?
    I have never used it, but you may want to take a look at cp_merge (sk33751). Note that merging should be done before upgrading to R80.x, the sk is only valid for R77.30 and some versions lower than that.

    I've also imported Network Objects from ConfWiz output to R80.x Management API, that way you get at least the Objects, but not the Policy itself. This may be an option for small access-only Policies, especially if you plan to re-make them using R80.x features like inline layers or zones.

    Hope that gave you some ideas.

  3. #3
    Join Date
    2006-07-06
    Posts
    133
    Rep Power
    13

    Thumbs up Re: Hotfix and Migration tool

    Hi Jejeno,



    Thanks for the reply.


    for the Jumbo Hotfix, can I have step by step instructions please as the ./Unixinstall command does not work.

    am using Gaia and like to install using clish.

    I will be using cp_merge.


    Thanks
    Zarcoff

  4. #4
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: Hotfix and Migration tool

    First thing you need to do is make sure that your Deployment Agent is the current one.

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk92449&partition=General&product=All"#Introd uction

    Is what you want to review.

    Has sections on updating the CPUSE Deployment Agent.

    It also has sections on how to import the CPUSE Package then how to install

    Covers using the Gaia Portal as well as using CLISH to perform the work.

    If is a legacy as in a Non-CPUSE package then should have the UnixInstallScript when you expand the tgz file.

    Most of the patching is done via CPUSE these days so you want to familiarise yourself with CPUSE.

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    270
    Rep Power
    12

    Default Re: Hotfix and Migration tool

    For specific commands, I generally copy the current CPUSE and the JHFA I want to install to the box using SCP. I put them in /home/admin, then run these commands:

    Code:
    tar -zxvf DeploymentAgent_*
    rpm -Uhv --force CPda-00-00.i386.rpm
    killall -v clish clishd
    tellpm process:confd
    tellpm process:confd t
    $DADIR/bin/dastart
    clish
    installer import local /home/admin/Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
    installer install Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
    Everything before 'clish' is for updating the deployment agent. You may need to wait a little while after issuing the 'dastart' before entering clish to be sure the installer service is up and running. The last two commands will need to be modified based on the specific fix you are installing.

    And of course, once the system comes back up after rebooting, you should clean up the /home/admin directory.
    Zimmie

  6. #6
    Join Date
    2006-09-26
    Posts
    3,172
    Rep Power
    16

    Default Re: Hotfix and Migration tool

    Quote Originally Posted by Bob_Zimmerman View Post
    For specific commands, I generally copy the current CPUSE and the JHFA I want to install to the box using SCP. I put them in /home/admin, then run these commands:

    Code:
    tar -zxvf DeploymentAgent_*
    rpm -Uhv --force CPda-00-00.i386.rpm
    killall -v clish clishd
    tellpm process:confd
    tellpm process:confd t
    $DADIR/bin/dastart
    clish
    installer import local /home/admin/Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
    installer install Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL.tgz
    Everything before 'clish' is for updating the deployment agent. You may need to wait a little while after issuing the 'dastart' before entering clish to be sure the installer service is up and running. The last two commands will need to be modified based on the specific fix you are installing.

    And of course, once the system comes back up after rebooting, you should clean up the /home/admin directory.
    Wow, that look exactly what I had. I probably posted this on CPUG almost two years ao :-)

    Actually December 2016: https://www.cpug.org/forums/showthre...00-00.i386.rpm
    Last edited by cciesec2006; 2018-10-30 at 12:59.

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    270
    Rep Power
    12

    Default Re: Hotfix and Migration tool

    Quote Originally Posted by cciesec2006 View Post
    Wow, that look exactly what I had. I probably posted this on CPUG almost two years ao :-)

    Actually December 2016: https://www.cpug.org/forums/showthre...00-00.i386.rpm
    The Deployment Agent part is straight from SK.

    The jumbo HFA part is a little different, because you can install the fix by name instead of by number. The number is unpredictable, so I prefer to use the name in scripts like this. That way, I can hand it to anybody (even my stupid 3AM self) and it will run reliably without the person needing to look at anything or make a decision.
    Zimmie

Similar Threads

  1. Hotfix
    By alex2015 in forum Installing And Upgrading
    Replies: 1
    Last Post: 2016-10-28, 11:54
  2. Q: HotFix Installation..
    By Kingetic in forum Check Point SecurePlatform (SPLAT)
    Replies: 4
    Last Post: 2011-03-11, 14:08
  3. sk45036 hotfix anyone ?
    By ypetiot in forum Installing And Upgrading
    Replies: 3
    Last Post: 2011-01-10, 08:46
  4. Hotfix Help!
    By Scrif in forum Installing And Upgrading
    Replies: 4
    Last Post: 2007-11-15, 13:23
  5. VoIP Hotfix 2
    By chillyjim in forum Voice over IP Blade (VoIP)
    Replies: 11
    Last Post: 2006-11-04, 14:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •