CPUSE Architecture and Design

The CPUSE Deployment Agent is installed on each Gaia-based device and it is responsible for all software deployment process on that device.

Applicable CPUSE Software Packages

All applicable software packages are uploaded to the Check Point cloud.

In the Gaia Operating System that is connected to the Internet, the CPUSE Deployment Agent shows software packages that are applicable only to this specific Gaia server.

For a Gaia server is not connected to the Internet, you can manually download the required offline CPUSE packages and then import them on that Gaia server.

Suppressing the Reboot Behavior

At the beginning of each installation / uninstall of a Hotfix / Jumbo Hotfix Accumulator, the CPUSE Deployment Agent asks the user whether to perform a reboot automatically when the installation / uninstall completes. You can suppress this automatic reboot functionality to perform post-install / post-uninstall actions (that also require reboot) and thus reduce the number of reboots.

If you choose to suppress the automatic reboot, then the CPUSE Deployment Agent does not reboot the Gaia server automatically. However, all actions are allowed blocked for the installed Hotfix / Jumbo Hotfix Accumulator package (except for exporting the package and deleting the package from disk). All actions are allowed for other packages.

Important - During the installation / uninstall of a CPUSE package, all Check Point services are stopped (with the "cpstop" command). Therefore, we strongly recommend to complete all the necessary maintenance operations and reboot the Gaia server as soon as possible to restore the normal operation of Check Point software. For more details, refer to sk113045.

Name of the CPUSE Package in Gaia Portal / Gaia Clish

Download Source /
CPUSE Package		 Name of CPUSE Package
From the Check Point cloud
(CPUSE Online installation)		 The CPUSE Deployment Agent takes the package name from the Check Point cloud (from the corresponding metadata package).
CPUSE Offline package The CPUSE Deployment Agent shows the name of the TAR / TGZ file.

CPUSE Exported package

that you imported

 The CPUSE Deployment Agent takes the package name from the original CPUSE package.

CPUSE Local Package Repository

All CPUSE packages you download and manually import on a Gaia server are located in the $DADIR/repository/tmp/ directory.

This directory contains symbolic links to the /var/log/CPda/repository/tmp/ directory, where these CPUSE package are physically stored.

CPUSE Deployment Agent (DA)

Main Directory for the CPUSE Deployment Agent

/opt/CPda/

The environment variable is: $DADIR

Main Daemon for the CPUSE Deployment Agent

$DADIR/bin/DAService

Log Files for the CPUSE Deployment Agent

In addition, see CPUSE Event Log.

Log File

Description

/opt/CPInstLog/DA_UI.log

  • Contains general messages for users.

  • This log file is not rotated.

  • The last 10 minutes of the this log file appear in Gaia Portal:

    Software Updates section > Available Updates page > Event log button.

/opt/CPInstLog/DeploymentAgent.log

  • Contains detailed technical log for administrators and for troubleshooting.

  • The CPUSE Deployment Agent keeps a maximum of 10 rotated files:

    • DeploymentAgent.log.1

    • DeploymentAgent.log.2

    • ...

    • DeploymentAgent.log.10

Manual start and stop of the CPUSE Deployment Agent

Action

Instructions

Get the current status of

the CPUSE Deployment Agent

  1. Connect to the command line on the Gaia server.

  2. Log in to Gaia Clish.

    On Scalable Platforms, log in to Gaia gClish.

  3. Examine the CPUSE Deployment Agent status:

    show installer status agent

    • "Agent: Enabled" means the CPUSE Deployment Agent daemon is running.

    • "Agent: Disabled" means the CPUSE Deployment Agent daemon is not running.

  1. Connect to the command line on the Gaia server.

  2. Log in to the Expert mode.

  3. Run one of these commands:

    • Run the applicable Gaia Clish command

      (Gaia gClish command on Scalable Platforms):

      clish -c "show installer status agent"

      gclish -c "show installer status agent"

      • "Agent: Enabled" means the CPUSE Deployment Agent daemon is running.

      • "Agent: Disabled" means the CPUSE Deployment Agent daemon is not running.

    • Run the applicable Expert mode command:

      cpwd_admin list | grep -E "APP|DASERVICE"

      Refer to the "STAT" column:

      • "E" (stands for executing) means the CPUSE Deployment Agent daemon is running.

      • "T" (stands for terminated) means the CPUSE Deployment Agent daemon is not running.

Stop the CPUSE Deployment Agent

  1. Connect to the command line on the Gaia server.

  2. Log in to the Expert mode.

  3. Disable the monitoring of the CPUSE Deployment Agent daemon by Check Point WatchDog:

    $DADIR/bin/dastop

    This "dastop" command runs this command in the background:

    cpwd_admin stop -name DASERVICE

  4. Manually stop the CPUSE Deployment Agent daemon in one of these ways:

    • In the Expert mode:

      DAClient stop

    • In Gaia Clish / Gaia gClish:

      installer agent stop

Start the CPUSE Deployment Agent

after you stopped it

  1. Connect to the command line on the Gaia server.

  2. Log in to the Expert mode.

  3. Enable the monitoring of the CPUSE Deployment Agent daemon by Check Point WatchDog:

    $DADIR/bin/dastart

    This "dastart" command runs this command in the background:

    $CPDIR/bin/cpwd_admin start -name DASERVICE -path "/opt/CPda/bin/DAService_script" -command "DAService_script"

  4. Manually start the CPUSE Deployment Agent daemon in one of these ways:

    • In the Expert mode:

      DAClient start

    • In Gaia Clish / Gaia gClish:

      installer agent start

Software Package Installation by the CPUSE Deployment Agent

  1. Pre-install validation (installation type - Security Gateway or Management Server), package validation, disk space, conflicts between fix IDs, version compatibility, server type - Check Point Appliance or Open Server, upgrade path).

    See Part 2 of 3 - Verify the CPUSE Software Package.

  2. Create a new disk partition.

  3. Install new version files onto the new disk partition.

  4. Configure the new version, migrate the applicable configuration (object database on a Management Server, SIC, Licenses, applicable settings on a Security Gateway).

  5. Configure the products on the new disk partition.

  6. Reboot the server.

  7. Boot from the new disk partition.

  8. Import the database on a Management Server, complete the product configuration, fetch policy on a Security Gateway.

  9. Run the CPUSE post-install self-tests.

    See CPUSE Update Settings.

  1. Pre-install validation (installation type - Security Gateway or Management Server), package validation, disk space, conflicts between fix IDs, version compatibility).

    See Part 2 of 3 - Verify the CPUSE Software Package.

  2. Unpack the new CPUSE package.

  3. Back up the current CPUSE package.

  4. Stop the Check Point services (the "cpstop" command).

  5. Prepare the diff-files (what exactly should be replaced).

  6. Replace the target files. Rollback, if the installation fails.

  7. Register the installed package in Check Point Registry.

  8. Reboot (automatically, if the CPUSE package requires this) or start the Check Point services (the "cpstart" command).

  9. Run the CPUSE post-install self-tests.

    See CPUSE Update Settings.

Software Package Verification by the CPUSE Deployment Agent

As part of the verification actions, or at the start of each package installation, the CPUSE Deployment Agent runs several tests to make sure the package is compatible for the installation:

  1. Available disk space

  2. Content validation (conflicts with installed content)

  3. Package is not corrupted

On a Security Management Server / Multi-Domain Security Management Server, at the beginning of an upgrade, the CPUSE Deployment Agent automatically runs the Pre-Upgrade Verifier (PUV) - a validation tool, similar to the pre-upgrade verifier that runs as a part of the Management Server migration process.

If one of the verification tests fails, an administrator is required to resolve the issue, and only then to start the package installation again.

The CPUSE Deployment Agent has a self-test feature that runs after installation and checks whether the installation has succeeded - and its purpose is to validate that the required settings are correct and the required daemons are running.

You can configure these self-tests:

  1. Check Point daemons are up and running before the package installation, are up and running after the package installation (this self-test is enabled by default)

  2. On a Security Gateway, the local policy fetch works after the package installation (this self-test is disabled by default)

  3. Network links that were up before the package installation, are up after the package installation (this self-test is disabled by default)

See CPUSE Update Settings.

The self-test failure condition is different from a regular installation failure - during a regular installation failure, there is an automatic rollback and the Gaia server returns to a point before the package installation started.

Check Point digitally signs all CPUSE packages using an SHA-256 digital signature since April 2015.

The CPUSE Deployment Agent performs the SHA-256 signature verification and the MD5 integrity verification of the downloaded CPUSE packages. If the either verification fails, the download is considered as failed.

If you download a CPUSE package from an on-premises Private ThreatCloud Appliance, then all CPUSE packages are signed at the source (by Check Point) using an ECDSA P-521 / SHA-512 digital signature.