CPUSE Architecture and Design
The CPUSE Deployment Agent is installed on each Gaia-based device and it is responsible for all software deployment process on that device.
Applicable CPUSE Software Packages
All applicable software packages are uploaded to the Check Point cloud.
In the Gaia Operating System that is connected to the Internet, the CPUSE Deployment Agent shows software packages that are applicable only to this specific Gaia server.
For a Gaia server is not connected to the Internet, you can manually download the required offline CPUSE packages and then import them on that Gaia server.
Suppressing the Reboot Behavior
At the beginning of each installation / uninstall of a Hotfix / Jumbo Hotfix Accumulator, the CPUSE Deployment Agent asks the user whether to perform a reboot automatically when the installation / uninstall completes. You can suppress this automatic reboot functionality to perform post-install / post-uninstall actions (that also require reboot) and thus reduce the number of reboots.
If you choose to suppress the automatic reboot, then the CPUSE Deployment Agent does not reboot the Gaia server automatically. However, all actions are allowed blocked for the installed Hotfix / Jumbo Hotfix Accumulator package (except for exporting the package and deleting the package from disk). All actions are allowed for other packages.
|
Important - During the installation / uninstall of a CPUSE package, all Check Point services are stopped (with the " |
Name of the CPUSE Package in Gaia Portal / Gaia Clish
Download Source / CPUSE Package |
Name of CPUSE Package |
---|---|
From the Check Point cloud (CPUSE Online installation) |
The CPUSE Deployment Agent takes the package name from the Check Point cloud (from the corresponding metadata package). |
CPUSE Offline package | The CPUSE Deployment Agent shows the name of the TAR / TGZ file. |
CPUSE Exported package that you imported |
The CPUSE Deployment Agent takes the package name from the original CPUSE package. |
CPUSE Local Package Repository
All CPUSE packages you download and manually import on a Gaia server are located in the $DADIR/repository/tmp/
directory.
This directory contains symbolic links to the /var/log/CPda/repository/tmp/
directory, where these CPUSE package are physically stored.
CPUSE Deployment Agent (DA)
Main Directory for the CPUSE Deployment Agent
|
The environment variable is: $DADIR
Main Daemon for the CPUSE Deployment Agent
|
Log Files for the CPUSE Deployment Agent
In addition, see CPUSE Event Log.
Log File |
Description |
---|---|
|
|
|
|
Manual start and stop of the CPUSE Deployment Agent
Action |
Instructions |
||||
---|---|---|---|---|---|
Get the current status of the CPUSE Deployment Agent |
![]()
![]()
|
||||
Stop the CPUSE Deployment Agent |
![]()
|
||||
Start the CPUSE Deployment Agent after you stopped it |
![]()
|
Software Package Installation by the CPUSE Deployment Agent

-
Pre-install validation (installation type - Security Gateway or Management Server), package validation, disk space, conflicts between fix IDs, version compatibility, server type - Check Point Appliance or Open Server, upgrade path).
-
Create a new disk partition.
-
Install new version files onto the new disk partition.
-
Configure the new version, migrate the applicable configuration (object database on a Management Server, SIC, Licenses, applicable settings on a Security Gateway).
-
Configure the products on the new disk partition.
-
Reboot the server.
-
Boot from the new disk partition.
-
Import the database on a Management Server, complete the product configuration, fetch policy on a Security Gateway.
-
Run the CPUSE post-install self-tests.

-
Pre-install validation (installation type - Security Gateway or Management Server), package validation, disk space, conflicts between fix IDs, version compatibility).
-
Unpack the new CPUSE package.
-
Back up the current CPUSE package.
-
Stop the Check Point services (the "
cpstop
" command). -
Prepare the diff-files (what exactly should be replaced).
-
Replace the target files. Rollback, if the installation fails.
-
Register the installed package in Check Point Registry.
-
Reboot (automatically, if the CPUSE package requires this) or start the Check Point services (the "
cpstart
" command). -
Run the CPUSE post-install self-tests.
Software Package Verification by the CPUSE Deployment Agent

As part of the verification actions, or at the start of each package installation, the CPUSE Deployment Agent runs several tests to make sure the package is compatible for the installation:
-
Available disk space
-
Content validation (conflicts with installed content)
-
Package is not corrupted
On a Security Management Server / Multi-Domain Security Management Server, at the beginning of an upgrade, the CPUSE Deployment Agent automatically runs the Pre-Upgrade Verifier (PUV) - a validation tool, similar to the pre-upgrade verifier that runs as a part of the Management Server migration process.
If one of the verification tests fails, an administrator is required to resolve the issue, and only then to start the package installation again.

The CPUSE Deployment Agent has a self-test feature that runs after installation and checks whether the installation has succeeded - and its purpose is to validate that the required settings are correct and the required daemons are running.
You can configure these self-tests:
-
Check Point daemons are up and running before the package installation, are up and running after the package installation (this self-test is enabled by default)
-
On a Security Gateway, the local policy fetch works after the package installation (this self-test is disabled by default)
-
Network links that were up before the package installation, are up after the package installation (this self-test is disabled by default)
The self-test failure condition is different from a regular installation failure - during a regular installation failure, there is an automatic rollback and the Gaia server returns to a point before the package installation started.

Check Point digitally signs all CPUSE packages using an SHA-256 digital signature since April 2015.
The CPUSE Deployment Agent performs the SHA-256 signature verification and the MD5 integrity verification of the downloaded CPUSE packages. If the either verification fails, the download is considered as failed.
If you download a CPUSE package from an on-premises Private ThreatCloud Appliance, then all CPUSE packages are signed at the source (by Check Point) using an ECDSA P-521 / SHA-512 digital signature.