Upgrading with SmartUpdate
SmartUpdate automatically distributes applications and updates for Check Point and OPSEC Certified products, and manages product licenses. It provides a centralized means to guarantee that Internet security throughout the enterprise network is always up to date. SmartUpdate turns time-consuming tasks that could otherwise be performed only by experts into simple point and click operations.
SmartUpdate extends your organization's ability to provide centralized policy management across enterprise-wide deployments. SmartUpdate can deliver automated software and license updates to hundreds of distributed security gateways from a single management console. SmartUpdate ensures security deployments are always up-to-date by enforcing the most current security software. This provides greater control and efficiency while dramatically decreasing maintenance costs of managing global security installations.
SmartUpdate enables remote upgrade, installation and license management to be performed securely and easily. A system administrator can monitor and manage remote gateways from a central location, and decide whether there is a need for software upgrade, new installations and license modification. It is possible to remotely upgrade:
- Check Point Security Gateways
- Hotfixes, Hotfix Accumulators (HFAs) and patches
- Third party OPSEC applications
- UTM-1 Edge
- Check Point IPSO Operating System
All operations that can be performed via SmartUpdate can also be done via the command line interface. See The SmartUpdate Command Line for more information.
SmartUpdate installs two repositories on the Security Management server:
Packages and licenses are loaded into these repositories from several sources:
- the Download Center web site (packages)
- the Check Point DVD (packages)
- the User Center (licenses)
- by importing a file (packages and licenses)
- by running the
cplic command line
Of the many processes that run on the Check Point Security Gateways distributed across the corporate network, two in particular are used for SmartUpdate. Upgrade operations require the
cprid daemon, and license operations use the
cpd daemon. These processes listen and wait for the information to be summoned by the Security Management server.
From a remote location, an administrator logged into the Security Management server initiates operations using the SmartUpdate tool. The Security Management server makes contact with the Check Point Security Gateways via the processes that are running on these gateways in order to execute the operations initiated by the system administrator (e.g., attach a license, or upload an upgrade). Information is taken from the repositories on the Security Management server. For instance, if a new installation is being initiated, the information is retrieved from the Package Repository; if a new license is being attached to remote gateway, information is retrieved from the License & Contract Repository.
This entire process is Secure Initial Communication (SIC) based, and therefore completely secure.
SmartUpdate - Seeing it for the First Time
SmartUpdate has two tabs:
- Packages tab shows the packages and Operating Systems installed on the Check Point Security Gateways managed by the Security Management server. Operations that relate to packages can only be performed in the Packages tab.
- Licenses tab shows the licenses on the managed Check Point Security Gateways. Operations that relate to licenses can only be performed in the Licenses tab.
These tabs are divided into a tree structure that displays the packages installed and the licenses attached to each managed Security Gateway.
The tree has three levels:
- Root level shows the name of the Security Management server to which the GUI is connected.
- Second level shows the names of the Check Point Security Gateways configured in SmartDashboard.
- Third level shows the Check Point packages (in the Packages tab) or installed licenses (in the Licenses tab) on the Check Point Security Gateway.
Additionally, the following panes can be displayed:
- Package Repository - shows all the packages available for installation. To view this pane, select Packages > View Repository.
- License & Contract Repository - shows all licenses (attached or unattached). To view this pane, select Licenses > View Repository.
- Operation Status - shows past and current SmartUpdate operations. To view this pane, select Operations > View Status. In this pane you can read about:
- Operations performed (e.g.,
Installing package <X> on Gateway <Y>, or
Attaching license <L> to Gateway <Y>.).
- The status of the operation being performed, throughout all the stages of its development (for instance, operation started, or a warning).
- A progress indicator.
- The time that the operation takes to complete.
- Packages and licenses can be dragged and dropped from the Repositories onto the Security Gateways in the Package/Licenses Management tree. This drag and drop operation will invoke the distribute or attach operation respectively.
- To search for a text string: select Tools > Find. In , enter a string to search for. Select search location: tab or .
- To sort in ascending or descending order, click the column title in the Licenses or Packages tab.
- To expand or collapse the Check Point Security Gateways tree structure, right-click on the tree root and choose Expand/Collapse.
- To change the Repository view, right-click on a blank row or column in the Repository window and select an option. For example, in the Licenses Repository you can select to see only the attached licenses.
- To clear a single operation, select the line in the Operation Status window and press the Delete key, or right-click and select Clear. To clear all completed operations from the Operation Status window, select Status > Clear all completed operations.
- To view operation details, in the Operation Status window, double-click the operation entry. The Operation Details window shows the operation description, start and finish times, and progress history. The window is resizable. To copy the Status lines to the clipboard, select the line, right-click and choose Copy.
- To print a view, select File > Print. The Choose Window is displayed. Select the window that you would like to print, e.g., Operation Status or License & Contract Repository. Optionally, you can adjust the print setup settings, or preview the output.
- Log of SmartUpdate package operations -
- Audit log of SmartUpdate operations - SmartView Tracker Audit View.
The latest management version can be applied to a single Check Point Security Gateway, or to multiple Check Point Security Gateways simultaneously. Use the Upgrade all Packages operation to bring packages up to the most current management version.
When you perform Upgrade all Packages all products are upgraded to the latest Security Management server version. This process upgrades both the software packages and its related HFA (that is, the most up to date HFA is installed). Once the process is over, the software packages and the latest HFA will exist in the Package Repository.
To upgrade Check Point packages to versions earlier than the latest available version, they must be upgraded one-by-one. Use the Distribute operation to upgrade packages to management versions other than the most current, or to apply specific HFAs.
In addition, SmartUpdate recognizes gateways that do not have the latest HFA. When you right-click an HFA in the Package Repository and select Distribute for that specific HFA, you will receive a recommendation to install a new HFA on the gateways that do not have it.
Prerequisites for Remote Upgrades
- Make sure that SmartUpdate connections are allowed. Go to SmartDashboard > Policy > Global Properties > FireWall Implied Rules, and make sure that Accept SmartUpdate Connections is selected.
- Secure Internal Communication (SIC) must be enabled between the Security Management server and remote Check Point Security Gateways.
Retrieving Data from Check Point Security Gateways
In order to know exactly what OS, vendor and management version is on each remote gateway, you can retrieve that data directly from the gateway.
- To retrieve data on a specific Check Point Security Gateway, right-click on the gateway in the Package Management window and select Get Gateway Data.
- If you are installing or upgrading multiple Check Point Security Gateways, from the Packages menu select Get Data From All.
Adding New Packages to the Package Repository
To distribute (that is, install) or upgrade a package, you must first add it to the Package Repository. You can add packages to the Package Repository from the following three locations:
- Select Packages > New Package > Add from Download Center.
- Accept the Software Subscription Download Agreement.
- Enter your user credentials.
- Select the packages to be downloaded. Use the
Shift keys to select multiple files. You can also use the Filter to show just the packages you need.
- Click Download to add the packages to the Package Repository.
Use this procedure for adding OPSEC packages and Hotfixes to the Package Repository.
- Open a browser to the Check Point Support Center.
- Select the package you want to upgrade.
- Enter your user credentials.
- Accept the Software Subscription Download Agreement.
- Choose the appropriate platform and package, and save the download to the local disk.
- Select Packages > New Package > Import File.
- In the Add Package window, navigate to the desired
.tgz file and click Open to add the packages to the Package Repository.
Check Point DVD
- Select Packages > New Package > Add from CD/DVD.
- Browse to the optical drive, and click OK.
A window opens, showing the available packages on the DVD.
- Select the packages to add to the Package Repository (Ctrl-select for more than one package).
- Click OK.
Verifying the Viability of a Distribution
Verify that the distribution (that is, installation) or upgrade is viable based upon the Check Point Security Gateway data retrieved. The verification process checks that:
- the Operating System and currently distributed packages are appropriate for the package to be distributed,
- there is sufficient disk space,
- the package is not already distributed,
- the package dependencies are fulfilled.
To manually verify a distribution, select Packages > Pre-Install Verifier….
Transferring Files to Remote Devices
When you are ready to upgrade or distribute packages from the Package Repository, it is recommended to transfer the package files to the devices to be upgraded. Placing the file on the remote device shortens the overall installation time, frees Security Management server for other operations, and reduces the chance of a communications error during the distribute/upgrade process. Once the package file is located on the remote device, you can activate the distribute/upgrade whenever it is convenient.
Transfer the package file(s) to the directory
$SUROOT/tmp on the remote device. If this directory does not exist, do one of the following:
- For Windows gateways, place the package file in the directory
SYSTEMDRIVE is usually
- For UNIX gateways, place the package file in the directory
Distributions and Upgrades
You can upgrade all packages on one remote gateway, or you can distribute specific packages one-by-one for all gateways.
Upgrading All Packages on a Check Point Remote Gateway
All Check Point packages on a single remote gateway, other than the operating system, can be remotely upgraded in a single operation. The Upgrade all Packages function allows you to simultaneously distribute or upgrade multiple packages to the latest management version. Proceed as follows:
- Select Packages > Upgrade all Packages.
- From the Upgrade All Packages window, select the Check Point Security Gateways that you want to upgrade. Use the
Shift keys to select multiple devices.
Note - The Reboot if required... option (checked by default) is required in order to activate the newly distributed package.
- If one or more of the required packages are missing from the Package Repository, the Download Packages window opens. Download the required package directly to the Package Repository.
- Click Upgrade.
The installation proceeds only if the upgrade packages for the selected packages are available in the Package Repository.
Updating a Single Package on a Check Point Remote Gateway
Use this procedure to select the specific package that you want to apply to a single package. The distribute function allows you to:
- Upgrade the OS on an IP appliance or on SecurePlatform
- Upgrade any package to a management version other than the latest
- Apply Hot Fix Accumulators (HFAs)
Proceed as follows:
- In the Package Management window, click the Check Point Security Gateway you want to upgrade.
- Select Packages > distribute.
- From the distribute Packages window, select the package that you want to distribute. Use the
Shift keys to select multiple packages, and then click distribute.
The installation proceeds only if the upgrade packages selected are available in the Package Repository.
Upgrading UTM-1 Edge Firmware with SmartUpdate
The UTM-1 Edge gateway firmware represents the software that is running on the appliance. The UTM-1 Edge gateway's firmware can be viewed and upgraded using SmartUpdate. This is a centralized management tool that is used to upgrade all gateways in the system by downloading new versions from the download center. When installing new firmware, the firmware is prepared at the Security Management server, downloaded and subsequently installed when the UTM-1 Edge gateway fetches for updates. Since the UTM-1 Edge gateway fetches at periodic intervals, you will notice the upgraded version on the gateway only after the periodic interval has passed.
If you do not want to wait for the fetch to occur you can download the updates with the Push Packages Now (UTM-1 Edge only) option in the Packages menu. With this option it is possible to create a connection with UTM-1 Edge in order to access new (that is, the latest) software package(s). The distribution is immediate and avoids the need to wait for the fetch to get the package.
Canceling and Uninstalling
You can stop a distributed installation or upgrade while in progress.
To cancel a SmartUpdate operation:
- Select Status > Stop Operation.
At a certain point in any operation, the Stop Operation function becomes unavailable. You can cancel the operation after this point. This will uninstall changes made. Use this also to uninstall distributed installations or upgrades.
- Wait for the operation to complete.
- Select Packages > Uninstall.
Note - Uninstallation restores the gateway to the last management version distributed.
Uninstalling Installations and Upgrades
If you want to cancel an operation and you have passed the point of no return, or the operation has finished, you can uninstall the upgrade by selecting Packages > Uninstall.
Note - Uninstallation restores the gateway to the last management version distributed.
Restarting the Check Point Security Gateway
After you distribute an upgrade or uninstall, reboot the gateway.
To restart the gateway:
- Select Reboot if required at the final stage of upgrade or uninstall.
- Select Packages > Reboot Gateway.
Recovering from a Failed Upgrade
If an upgrade fails on SecurePlatform, SmartUpdate restores the previously distributed version.
SecurePlatform Automatic Revert
If an upgrade or distribution operation fails on a SecurePlatform device, the device will reboot itself and automatically revert to the last version distributed.
Snapshot Image Management
Before performing an upgrade, you can use the command line to create a Snapshot image of the SecurePlatform OS, or of the packages distributed. If the upgrade or distribution operation fails, you can use the command line to revert the disk to the saved image.
- To create a Snapshot file on the gateway, type:
cprinstall snapshot <object name> <filename>
- To show the available Snapshot files, type:
cprinstall show <object name>
- To revert to a given Snapshot file, type:
cprinstall revert <object name> <filename>
Note - Snapshot files are stored at
/var/CPsnapshot on the gateway.
Deleting Packages from the Package Repository
To clear the Package Repository of extraneous or outdated packages, select a package, or Ctrl-select multiple packages and select Packages > Delete Package. This operation cannot be undone.
With SmartUpdate, you can manage all licenses for Check Point packages throughout the organization from the Security Management server. SmartUpdate provides a global view of all available and installed licenses, allowing you to perform such operations as adding new licenses, attaching licenses and upgrading licenses to Check Point Security Gateways, and deleting expired licenses. Check Point licenses come in two forms, Central and Local.
- The Central license is the preferred method of licensing. A Central license ties the package license to the IP address of the Security Management server. That means that there is one IP address for all licenses; that the license remains valid if you change the IP address of the gateway; and that a license can be taken from one Check Point Security Gateway and given to another with ease. For maximum flexibility, it is recommended to use Central licenses.
- The Local license is an older method of licensing, however it is still supported by SmartUpdate. A Local license ties the package license to the IP address of the specific Check Point Security Gateway, and cannot be transferred to a gateway with a different IP address.
When you add a license to the system using SmartUpdate, it is stored in the License & Contract Repository. Once there, it must be installed to the gateway and registered with the Security Management server. Installing and registering a license is accomplished through an operation known as attaching a license. Central licenses require an administrator to designate a gateway for attachment, while Local licenses are automatically attached to their respective Check Point Security Gateways.
Licenses received from the User Center should first be added to the License & Contract Repository. Adding a local license to the License & Contract Repository also attaches it to the gateway.
Licenses can be conveniently imported to the License & Contract Repository via a file and they can be added manually by pasting or typing the license details.
Licenses are attached to a gateway via SmartUpdate. Attaching a license to a gateway involves installing the license on the remote gateway, and associating the license with the specific gateway in the License & Contract Repository.
- Central License
A Central License is a license attached to the Security Management server IP address, rather than the gateway IP address. The benefits of a Central License are:
- Only one IP address is needed for all licenses.
- A license can be taken from one gateway and given to another.
- The new license remains valid when changing the gateway IP address. There is no need to create and install a new license.
- Certificate Key
The Certificate Key is a string of 12 alphanumeric characters. The number is unique to each package. For an evaluation license your certificate key can be found inside the mini pack. For a permanent license you should receive your certificate key from your reseller.
A command line for managing local licenses and local license operations. For additional information, refer to the R76 Command Line Interface Reference Guide.
Detaching a license from a gateway involves uninstalling the license from the remote gateway and making the license in the License & Contract Repository available to any gateway.
Licenses can be in one of the following states:
The license state depends on whether the license is associated with the gateway in the License & Contract Repository, and whether the license is installed on the remote gateway. The license state definitions are as follows:
- Attached indicates that the license is associated with the gateway in the License & Contract Repository, and is installed on the remote gateway.
- Unattached indicates that the license is not associated with the gateway in the License & Contract Repository, and is not installed on any gateway.
- Assigned is a license that is associated with the gateway in the License & Contract Repository, but has not yet been installed on a gateway.
- Upgrade Status is a field in the License & Contract Repository that contains an error message from the User Center when the Upgrade process fails.
Locally installed licenses can be placed in the License & Contract Repository, in order to update the repository with all licenses across the installation. The Get operation is a two-way process that places all locally installed licenses in the License & Contract Repository and removes all locally deleted licenses from the License & Contract Repository.
- License Expiration
Licenses expire on a particular date, or never. After a license has expired, the functionality of the Check Point package may be impaired.
- Local License
A Local License is tied to the IP address of the specific gateway and can only be used with a gateway or a Security Management server with the same address.
- Multi-License File
Licenses can be conveniently added to a gateway or a Security Management server via a file, rather than by typing long text strings. Multi-license files contain more than one license, and can be downloaded from the Check Point User Center.
Multi-license files are supported by the
cplic put, and
cplic add command-line commands.
A character string that identifies the features of a package.
One of the many SmartUpdate features is to upgrade licenses that reside in the License & Contract Repository. SmartUpdate will take all licenses in the License & Contract Repository, and will attempt to upgrade them with the use of the Upgrade tool.
The License Attachment Process
Introducing the License Attachment Process
When a Central license is placed in the License & Contract Repository, SmartUpdate allows you to attach it to Check Point packages. Attaching a license installs it to the remote gateway and registers it with the Security Management server.
New licenses need to be attached when:
- An existing license expires.
- An existing license is upgraded to a newer license.
- A Local license is replaced with a Central license.
- The IP address of the Security Management server or Check Point Security Gateway changes.
Attaching a license is a three step process.
- Get real-time license data from the remote gateway.
- Add the appropriate license to the License & Contract Repository.
- Attach the license to the device.
The following explains the process in detail.
Retrieving License Data from Check Point Security Gateways
To know exactly what type of license is on each remote gateway, you can retrieve that data directly from the gateway.
- To retrieve license data from a single remote gateway, right-click on the gateway in the License Management window and select Get Check Point Security Gateway Licenses.
- To retrieve license data from multiple Check Point Security Gateways, from the Licenses menu and select Get All Licenses.
Adding New Licenses to the License & Contract Repository
To install a license, you must first add it to the License & Contract Repository. You can add licenses to the License & Contract Repository in the following ways:
Download From the User Center
- Select Network Objects License & Contract tab > Add License > From User Center
- Enter your credentials.
- Perform one of the following:
- Generate a new license - if there are no identical licenses, the license is added to the License & Contract Repository.
- Change the IP address of an existing license, that is, Move IP.
- Change the license from Local to Central.
Importing License Files
- Select Licenses & Contract > Add License > From File.
- Browse to the location of the license file, select it, and click Open.
A license file can contain multiple licenses. Unattached Central licenses appear in the License & Contract Repository, and Local licenses are automatically attached to their Check Point Security Gateway. All licenses are assigned a default name in the format SKU@ time date, which you can modify at a later time.
Add License Details Manually
You may add licenses that you have received from the Licensing Center by email. The email contains the license installation instructions.
- Locate the license:
- If you have received a license by email, copy the license to the clipboard. Copy the string that starts with
cplic putlic... and ends with the last SKU/Feature. For example:
cplic putlic 126.96.36.199 06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-EVAL-3DES-NGX CK-1234567890
- If you have a hard copy printout, continue to step 2.
- Select the tab in SmartUpdate.
- Select Licenses > Add License > Manually. The Add License window appears.
- Enter the license details:
- If you copied the license to the clipboard, click Paste License. The fields will be populated with the license details.
- Alternatively, enter the license details from a hard-copy printout.
- Click Calculate, and make sure the result matches the validation code received from the User Center.
- You may assign a name to the license, if desired. If you leave the Name field empty, the license is assigned a name in the format SKU@ time date.
- Click OK to complete the operation.
After licenses have been added to the License & Contract Repository, select one or more licenses to attach to a Check Point Security Gateway.
- Select the license(s).
- Select Network Objects License & Contract tab > Attach.
- From the Attach Licenses window, select the desired device.
If the attach operation fails, the Local licenses are deleted from the Repository.
Detaching a license involves deleting a single Central license from a remote Check Point Security Gateway and marking it as unattached in the License & Contract Repository. This license is then available to be used by any Check Point Security Gateway.
To detach a license, select Network Objects License & Contract tab > Detach and select the licenses to be detached from the displayed window.
Deleting Licenses from the License & Contract Repository
Licenses that are not attached to any Check Point Security Gateway and are no longer needed can be deleted from the License & Contract Repository.
To delete a license:
- Right-click anywhere in the License & Contract Repository and select View Unattached Licenses.
- Select the unattached license(s) to be deleted, and click Delete.
Viewing License Properties
The overall view of the License & Contract Repository displays general information on each license such as the name of the license and the IP address of the machine to which it is attached. You can view other properties as well, such as expiration date, SKU, license type, certificate key and signature key.
To view license properties, double-click on the license in the Licenses tab.
Checking for Expired Licenses
After a license has expired, the functionality of the Check Point package will be impaired; therefore, it is advisable to be aware of the pending expiration dates of all licenses.
To check for expired licenses, select Licenses > Show Expired Licenses.
To check for licenses nearing their dates of expiration:
- In the License Expiration window, set the Search for licenses expiring within the next
x days property.
- Click Apply to run the search.
To delete expired licenses from the License Expiration window, select the detached license(s) and click Delete.
Exporting a License to a File
Licenses can be exported to a file. The file can later be imported to the License & Contract Repository. This can be useful for administrative or support purposes.
To export a license to a file:
- In the Licenses Repository, select one or more licenses, right-click, and from the menu select Export to File….
- In the Choose File to Export License(s) To window, name the file (or select an existing file), and browse to the desired location. Click Save.
All selected licenses are exported. If the file already exists, the new licenses are added to the file.
Managing Multi-Domain Security Management Licenses with SmartUpdate
To manage licenses using SmartUpdate, select the SmartUpdate view in the SmartDomain Manager Selection Bar. If you loaded SmartUpdate, you can also right-click a Multi-Domain Server object and select Applications > SmartUpdate from the Options menu. Licenses for components and blades are stored in a central repository.
To view repository contents:
- Select SmartUpdate from the SmartDomain Manager Main menu.
- Select >> . The repository pane shows in the SmartUpdate view.
To add new licenses to the repository:
- Select SmartUpdate from the SmartDomain Manager Main menu.
- Select >> .
- Select a method for adding a license:
- From User Center - Obtain a license file from the User Center.
- From file - Import a license file to the repository.
- Manually - Open the window and enter licenses information manually. You can copy the license string from a file and click to enter the data.
You can now see the license in the repository.
To attach a license to a component:
- In the SmartDomain Manager, select .
- Select >> .
- Select a license from the window. The license shows as attached in the repository.
For more about license management tasks in SmartUpdate, see the R76 Security Management Administration Guide.
Web Security License Enforcement
A gateway or gateway cluster requires a Web Security license if it enforces one or more of the following protections:
- Malicious Code Protector
- LDAP Injection
- SQL Injection
- Command Injection
- Directory Listing
- Error Concealment
- ASCII Only Request
- Header Rejection
- HTTP Methods
Before upgrading a gateway or Security Management server, you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on Security Management server and downloaded to Check Point Security Gateways during the upgrade process. By verifying your status with the User Center, the contract file enables you to easily remain compliant with current Check Point licensing standards.
For more on service contracts, see the Service Contract Files Web page.
CPInfo is a support tool that gathers into one text file a wide range of data concerning the Check Point packages in your system. When speaking with a Check Point Technical Support Engineer, you may be asked to run CPInfo and transmit the data to the Support Center. Download the tool from the Support Center.
To launch CPInfo, select Tools > Generate CPInfo.
- Choose the directory to which you want to save the output file.
- Choose between two methods to name the file:
- based on the SR number the technician assigns you, or
- a custom name that you define.
- Optionally, you may choose to add:
- log files to the CPInfo output.
- the registry to the CPInfo output.
The SmartUpdate Command Line
All management operations that are performed via the SmartUpdate GUI can also be executed via the command line. There are three main commands:
cppkg to work with the Packages Repository.
cprinstall to perform remote installations of packages.
cplic for license management.
For details on how to use these commands, see the R76 Command Line Interface Reference Guide.