CPUSE

In This Section: Configuring CPUSE - WebUI Configuring a CPUSE Policy - WebUI Configuring CPUSE Mail Notifications - WebUI Downloading and Installing with CPUSE - clish Reviewing CPUSE – clish Configuring a CPUSE Policy - clish Configuring CPUSE Mail Notifications - clish CLI Procedures - CPUSE

Note - The Software Updates feature was renamed to Check Point Upgrade Service Engine (CPUSE) in R77.20.

With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. The software update packages and full images are for major releases, minor releases and Hotfixes. All of the CPUSE processes are handled by the Deployment Agent daemon (DA).

Gaia automatically locates and shows the available software update packages and full images that are relevant to the Gaia operating system version installed on the computer, the computer's role (gateway, Security Management Server, standalone), and other specific properties. The images and packages can be downloaded from the Check Point Support center and installed.

You can add a private package to the list of available packages. A private package is a Hotfix, located on the Check Point Support Center, thats is only available to limited audiences.

When you update Check Point software, make sure to:

• Define the CPUSE policy for downloads and installation.

  Downloads can be:

  • Manual
  • Automatic
  • Scheduled (daily, weekly, monthly, or once only).

  Installations are:

  • Hotfixes are downloaded and installed automatically by default
  • Full installation and upgrade packages must be installed manually
• Define mail notifications for completed package actions and for the new package updates.
• Run the software download and installation.

Configuring CPUSE - WebUI

If you configure the Upgrades (CPUSE) policy and mail notifications before you download and run an upgrade, you will receive these email notifications, depending on your configuration:

• New Available Packages - When a package becomes available for download from the Check Point Support Center
• Download Status - When an upgrade package or a full installation image is downloaded and available for installation
• Install Status - When an upgrade or a new installation is finished

If a package fails to download or install, an email notification is also sent.

To manually download an installation and upgrade package:

1. In the Upgrades (CPUSE) > Status and Actions page, select a package with the status Available for Download.
2. Click Download.

When the package is downloaded successfully, the package status changes to Downloaded Successfully. If the download fails, the status changes to Download Failed. An appropriate email notification is sent.

To manually download a Hotfix package:

1. In the Upgrades (CPUSE) > Status and Actions page, select a package with the status Available for Download.
2. Click More and select Download.

When the package is downloaded successfully, the status changes to Downloaded Successfully. If the download fails, the status changes to Download Failed. An appropriate email notification is sent.

To manually install a Hotfix or an installation and upgrade package:

1. In the Upgrades (CPUSE) > Status and Actions page, select a package with the status Downloaded Successfully or Available to Download.
2. Optional: To make sure that the package can be used to do an installation or upgrade, click More > Verifier.

   This action checks for available disk space and makes sure that the upgrade is valid and that there is no conflict between the new Hotfix or installation/upgrade package and previously installed Hotfixes.

3. Install or upgrade:
   • To install a Hotfix package, select a Hotfix and click Install Update.
   • To do a clean installation of a full image on a new partition with no configuration migration, select a package and click Clean Install
   • To upgrade using a full image, select a package and click Upgrade.

When the package is installed on the Gaia computer, the package status changes to Installed and an email notification is sent.

To add a private package to the list of available package:

You can add a private package to the list of available packages. A private package is a Hotfix, located on the Check Point Support Center, thats is only available to limited audiences.

1. In the Upgrades (CPUSE) > Status and Actions page, click Add hotfixes from the cloud.
2. In the window that opens, insert the search string that you received from Check Point Support and click search.
3. When the package is found, click the package name.

   The package is added to the list of packages.

If on your local drive you have a CPUSE-compatible package that you copied from another gateway or from the Check Point Download Center, you can add it to the list of available packages.

Note - You can only import CPUSE-compatible packages.

To import a package from your local drive to the list of available package:

1. In the Upgrades (CPUSE) > Status and Actions page, click More and select Import Package.
2. In the window that opens, browse to the package on your computer and click Import.
3. Click OK.

   The package is added to the list of packages.

By default, all packages are shown in the Package list. You can filter the list of packages to only see those that are recommended or installed.

To filter the list of packages:

In the Upgrades (CPUSE) > Status and Actions page, click Showing Recommended Packages and select an option:

• Recommended (default)
• Installed
• All

Configuring a CPUSE Policy - WebUI

To define the CPUSE policy:

1. In the WebUI, go to the Upgrades (CPUSE) > Software Updates Policy page.
2. In the Software Deployment Policy > Download Hotfixes section, select the method to download Hotfixes:
   • Manually (default) - initiated through WebUI or in clish
   • Scheduled - at a certain time Daily, Weekly (select day of the week), Monthly (select day of the month), or Once (select a date)
   • Automatic - as they become available

     CPUSE checks for updates every three hours while the computer is on, immediately after the computer boots up, and at the time of access of the Upgrades (CPUSE) page in WebUI.

   Note - Full installation packages can only be downloaded manually.

3. To help Check Point collect download and installation statistics that are used only to improve the CPUSE service, select Send download and installation data of Software Updates to Check Point.
4. Select Self tests to perform for sanity checks, after installing or upgrading with CPUSE:
   • Start Check Point Processes - To make sure that Check Point processes are running
   • Install Policy - To make sure that it is possible to install a policy
   • Network Link Up - To make sure that the network interfaces on the Gaia computer that were up before the upgrade, are up after it
5. Select Self Test - Auto-rollback upon failure to run a fall-back procedure if the installed package fails one of the sanity tests. The fall-back procedure automatically restores the version that was active before the package was installed, and sends a notification that the installation failed

   Note - If this option is not selected, only the notification is sent.

6. Select Periodically update new Deployment Agent version, to keep the Deployment Agent up to date.
7. Click Apply.

Configuring CPUSE Mail Notifications - WebUI

You can be notified by email of these software update events:

• New packages in the Check Point Support Center that are available for download
• Packages that have been downloaded to the Gaia computer
• Package installation success or failure

To configure CPUSE notifications:

1. In the WebUI, go to the Upgrades (CPUSE) > Software Updates Policy page.
2. Click Add.

   Note - You must have the Mail Server and the User Name of the sender of the CPUSE notifications configured in the System Management > Mail Notification page, before you can configure Mail Notifications. Otherwise, the Add action for Mail Notifications is disabled.

3. Enter a notification recipient's Email address , and select the types of notification they will receive:
   • New Available Packages
   • Download Status
   • Install Status
4. Click OK.

Downloading and Installing with CPUSE - clish

Description

Run these CPUSE procedures: Update, start, or stop the Deployment Agent (the daemon that handles all CPUSE processes) Check for available updates, verify compatibility of the installation package with the computer, download, install, delete, or import full installation packages and hotfixes

Syntax

installer {agent {start | stop | update [not-interactive]} | check-for-updates [not-interactive] | delete {<num> | <package>} [not-interactive] | download {<num> | <package>} [pause | resume | not-interactive] | download-and-install {<num> | <package>} [not-interactive] | import {cloud <package> | ftp <ip_addr> path <path> username <username> [password <password>] | local <path>} [not-interactive] | install {<num> | <package>} [not-interactive] | uninstall {<num> | <package>} [not-interactive] | upgrade {<num> | <package>} [not-interactive] | verify {<num> | <package>} [not-interactive]}

Parameters

Parameter	Description
agent {start | stop | update [not-interactive]}	Run these operations on the installer agent: start - Start the Deployment Agent daemon The Deployment Agent starts automatically on system start-up, as part of the cpstart process. stop - Stop the Deployment Agent daemon update [non-interactive] - Update the Deployment Agent This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
check-for-updates [not-interactive]	Check for new available packages in Check Point cloud. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
delete {<num> | <package>} [not-interactive]	Delete a package. Provide the package filename - <package>, or number <num>. To see all downloaded packages, type installer delete and press the TAB key. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
download {<num> | <package>} [pause | resume |not-interactive]	Download a package. Provide the package filename - <package>, or number <num>. To see all available for download packages, type installer download and press the TAB key. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option. To pause a package download, run with the pause option. To resume a package download operation, that has been paused, run with the resume option.
download-and-install {<num> | <package>} [not-interactive]	Download and install a package. Provide the package filename - <package>, or number <num>. To see all available for download and installation packages, type installer download-and-install and press the TAB key. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
import {cloud <package> | ftp <ip_addr> path <path> username <username> [password <password>] | local <path>} [not-interactive]	Import the package from one of these: cloud - specify the package name, as provided by the Check Point support ftp - specify the IP address of the ftp server, the full path of the package, the username, and the password (optional) local - specify the full path of the package on the local computer This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
install {<num> | <package>} [not-interactive]	Install a package. Provide the package filename - <package>, or number <num>. To see all available for installation packages, type installer install and press the TAB key. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
uninstall {<num> | <package>} [not-interactive]	Uninstall a package. Provide the package filename - <package>, or number <num>. To see the installed packages, type installer uninstall and press the TAB key. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
upgrade {<num> | <package>} [not-interactive]	Upgrade to a newer version. Provide the package filename - <package>, or number <num>. To see the available upgrade packages, type installer upgrade and press the TAB key. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.
verify {<num> | <package>} [not-interactive]	Verify a package before the installation. Provide the package filename - <package>, or number <num>. To see all available for installation packages, type installer verify and press the TAB key. This command runs in interactive mode by default. To run it in non-interactive mode, run with the not-interactive option.

Reviewing CPUSE – clish

Description

Show information about the Deployment Agent: The mail notifications configuration The CPUSE policy for downloads and installation The Deployment Agent status, Deployment Agent build number, the connection status, and the current update status The packages that are available for download, downloaded, imported, installed, and recommended by Check Point The details of a specific package - the display name, description, size, type, status, reboot requirement, Check Point recommendation, components contained, packages containing it, download date/time, import date/time, installation date/time, and installation log location

Syntax

show installer {mail-notifications {<num> | <email>} | package <num> | packages {all | available-for-download | downloaded | imported | installed | recommended} | policy {all | downloads | periodically-self-update | self-test {all | auto-rollback | install-policy | network-link-up | start-processes} | send-cpuse-data} | status {agent | all | build | connection | license | update-from-cloud}}

Parameters

Parameter	Description
mail-notifications {<num> | <email>}	Show these email notifications configured for the user number <num> or for the email address <email>: For changes in download status For changes in installation status For new available packages
package <num>	Show this information about the package number <num>, as shown in the list of packages: Display name Description Size Type - Version, Wrapper, or Hotfix Status - Download or installation status and reason for failure if applicable Requires reboot - Yes or No Recommended - Is the package recommended by Check Point? Contains - List of components (files, archives) inside the package Contained-in - Name of archive containing the package Downloaded on - The date of the download Imported on - The date of the import Installed on - The date of the installation Installation log - The name of the installation log Note - To see the numbered list of packages, type show installer package and hit Tab. Make sure to enter a space after the word package.
packages {all | available-for-download | downloaded | imported | installed | recommended}	Show the list of all installation and Hotfix packages that are: Available for download Downloaded Imported Installed Recommended by Check Point All - all of the above
policy {all | downloads | periodically-self-update | self-test {all | auto-rollback | install-policy | network-link-up | start-processes} | send-cpuse-data}	Show the CPUSE policy configuration details: policy rule for Hotfix downloads (installation packages are downloaded manually only) policy rule for periodic updates of the Deployment Version Self tests configured for sanity checks after upgrading with CPUSE - auto-rollback - if on, runs a fall-back procedure when the installed package fails one of the sanity tests (automatically restores the version that was active before the package was installed and sends a notification that the installation failed) install-policy - if on, makes sure that it is possible to install a policy network-link-up - if on, makes sure that all the network interfaces on the Gaia computer are up start-processes - if on, makes sure that Check Point processes are running policy rule for sending the CPUSE download and installation information to Check Point
status {agent | all | build | connection | license | update-from-cloud}	Show this information about the Deployment Agent: Status - enabled or disabled Build number Connection status - connected or disconnected (also shows the cause of any connection problem, if relevant) License status - active with the expiration date or expired Last update from the cloud

Configuring a CPUSE Policy - clish

Description	Configure the CPUSE policy for downloads and installation.
Syntax	set installer policy {downloads {automatic | manual | scheduled {daily <time> | monthly <day> at <time> | once <date> at <time> | weekly <day_of_the_week> at <time>}} | periodically-self-update {on | off} | self-test {auto-rollback | install-policy | network-link-up | start-processes} {on | off} | send-cpuse-data {on | off}}

Parameters

Parameter	Description
downloads {automatic | manual | scheduled {daily <time> | monthly <day> at <time> | once <date> at <time> | weekly <day_of_the_week> at <time>}}	Configure the way to download the Hotfixes: automatic - to download packages when they become available CPUSE checks for updates every three hours while the computer is up, immediately after the computer boots up, and at the time of access of the Upgrades (CPUSE) page in WebUI. manual - to start all package downloads manually scheduled - at a certain time daily, weekly (specify day of the week), monthly (specify day of the month), or once on a specified date Note - Full installation packages can only be downloaded manually.
periodically-self-update {on | off}	Turn on to keep the Deployment Agent up to date.
self-test {auto-rollback | install-policy | network-link-up | start-processes} {on | off}	Turn on to run sanity checks after upgrading with CPUSE: auto-rollback - to run a fall-back procedure if the installed package fails one of the sanity tests. The fall-back procedure automatically restores the version that was active before the package was installed, and sends a notification that the installation failed. Note - If this option is not selected, only the notification is sent. install-policy - to make sure that it is possible to install the policy network-link-up - to make sure that all the network interfaces on the Gaia computer are up start-processes - to make sure that Check Point processes are running
send-cpuse-data {on | off}	Turn on, to help Check Point collect download and installation data that is used only to improve the CPUSE service.

Configuring CPUSE Mail Notifications - clish

Description	Configure the CPUSE mail notifications.
Syntax	set installer mail-notifications {<num> | <email>} {download-status | install-status | new-available-packages} {on | off}

Parameters

Parameter	Description
mail-notifications {<num> | <email>} {download-status | install-status | new-available-packages} {on | off}	Turn on or off email notifications for the address <email> or the recipient number <num> on the list of configured email addresses: download-status - for changes in download status install-status - for changes in installation status new-available-pack - for new available packages

CLI Procedures - CPUSE

This is a general approach to configuring CPUSE through CLI:

1. Review the current CPUSE configuration and status.
2. Configure the software deployment policy (not mandatory, can be done at another time).
3. Configure the CPUSE email notifications (not mandatory, can be done at another time).
4. Download a package.
5. Make sure that the package you wish to install is compatible with the system.
6. Install the package.

To review current CPUSE configuration and status:

• Run this command to see the packages that are available for download:

  show installer packages available-for-download

• Run this command to see the packages that are downloaded and available for installation:

  show installer packages downloaded

• Run this command to see the installed packages:

  show installer packages installed

• Run this command to see the recommended packages:

  show installer packages recommended

• Run this command to see the imported packages:

  show installer packages imported

• Run this command to see all packages and their status:

  show installer packages all

To configure the Software Deployment Policy:

1. Configure the way to download Hotfixes:
   • Manually - set installer policy downloads manual
   • As they become available - set installer policy downloads automatic
   • According to specified schedule - set installer policy downloads scheduled {daily <time> | monthly <day> at <time> | once <date> at <time> | weekly <day_of_the_week> at <time>}
2. Turn on the self test sanity checks and auto-rollback:
   • To make sure that it is possible to install the policy - set installer policy self-test install-policy on
   • To make sure that all the network interfaces are up - set installer policy self-test network-link-up on
   • To make sure that Check Point processes are running - set installer policy self-test start-processes on
   • To run a fall-back procedure if the installed package fails one of the sanity tests - set installer policy self-test auto-rollback on
3. Turn self-updates on, to keep the Deployment Agent up to date: set installer policy periodically-self-update on
4. Configure the option to send the download and installation data, to help Check Point improve the CPUSE service -

   set installer policy send-cpuse-data on

To configure the CPUSE email notifications:

Turn on these options:

• For changes in download status - set installer mail-notifications {<num> | <email>} download-status on
• For changes in installation status - set installer mail-notifications {<num> | <email>} install-status on
• For new available packages - set installer mail-notifications {<num> | <email>} new-available-packages on

To install a Check Point package, you must first download it, then install it. If you need to install a Hotfix, you can first download it and then install it, or download and install it with one command.

To download a package from the Check Point Download Center:

1. List the names and the sequence numbers of the packages available for download from the Check Point Download Center: type installer download and press the TAB key.
2. Download a package: installer download {<num> | <package>} [not-interactive]

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.

You can pause a download, if necessary.

To pause a download:

1. List the names and the sequence numbers of the packages that are being downloaded: type installer download and press the TAB key.
2. Pause the download: installer download {<num> | <package>} pause

   You can run the command with either the sequence number or the name of the package.

To resume a download:

1. List the names and the sequence numbers of the packages for which the downloads were paused: type installer download and press the TAB key.
2. Resume the download: installer download {<num> | <package>} resume

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.

To import a package:

1. Check for new available packages in the Check Point Cloud: installer check-for-updates [not-interactive]

   You can run the command in interactive (default) or non-interactive mode.

2. Import a package:
   • From the Check Point Cloud: import cloud <package> [not-interactive]
   • From an ftp server: import ftp <ip_addr> path <path> username <username> [password <password>] [not-interactive]
   • From a location on the local computer: import local <path> [not-interactive]

   You can run the command in interactive (default) or non-interactive mode.

To make sure that the package is compatible with the system:

1. List the names and the sequence numbers of the packages available for installation: type installer verify and press the TAB key.
2. Verify a package: installer verify {<num> | <package>} [not-interactive]

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.

To install a package:

1. List the names and the sequence numbers of the downloaded and imported packages: type installer install and press the TAB key.
2. Install a package: installer install {<num> | <package>} [not-interactive]

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.

To download and install a Hotfix with one command:

1. List the names and the sequence numbers of the Hotfixes available for download and installation: type installer download-and-install and press the TAB key.
2. Download and install a Hotfix: installer download-and-install {<num> | <package>} [not-interactive]

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.

To upgrade to a later version:

1. List the names and the sequence numbers of the downloaded packages: type installer upgrade and press the TAB key.
2. Run the upgrade: installer upgrade {<num> | <package>} [not-interactive]

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.

To uninstall a package:

1. List the names and the sequence numbers of the installed packages: type installer uninstall and press the TAB key.
2. Uninstall a package: installer uninstall {<num> | <package>} [not-interactive]

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.

To clear some disk space, you can delete packages you do not need.

To delete a package from the disk:

1. List the names and the sequence numbers of the downloaded packages: type installer delete and press the TAB key.
2. Delete a package: installer delete {<num> | <package>} [not-interactive]

   You can run the command with either the sequence number or the name of the package, and either in interactive (default) or non-interactive mode.