Print Download PDF Send Feedback

Previous

Next

Upgrading with SmartUpdate

In This Section:

Introducing SmartUpdate

Understanding SmartUpdate

SmartUpdate - Seeing it for the First Time

Common Operations

Upgrading Packages

Managing Licenses

Service Contracts

Generating CPInfo

The SmartUpdate Command Line

Introducing SmartUpdate

SmartUpdate automatically distributes applications and updates for Check Point and OPSEC Certified products, and manages product licenses. It provides a centralized means to guarantee that Internet security throughout the enterprise network is always up to date. SmartUpdate turns time-consuming tasks that could otherwise be performed only by experts into simple point and click operations.

SmartUpdate extends your organization's ability to provide centralized policy management across enterprise-wide deployments. SmartUpdate can deliver automated software and license updates to hundreds of distributed security Gateways from a single management console. SmartUpdate ensures security deployments are always up-to-date by enforcing the most current security software. This provides greater control and efficiency while dramatically decreasing maintenance costs of managing global security installations.

SmartUpdate enables remote upgrade, installation and license management to be performed securely and easily. A system administrator can monitor and manage remote Gateways from a central location, and decide whether there is a need for software upgrade, new installations and license modification. It is possible to remotely upgrade:

All operations that can be performed via SmartUpdate can also be done via the command line interface. See The SmartUpdate Command Line for more information.

Understanding SmartUpdate

SC_SmartUpdate

SmartUpdate installs two repositories on the Security Management Server:

Packages and licenses are loaded into these repositories from several sources:

Of the many processes that run on the Check Point Security Gateways distributed across the corporate network, two in particular are used for SmartUpdate. Upgrade operations require the cprid daemon, and license operations use the cpd daemon. These processes listen and wait for the information to be summoned by the Security Management Server.

From a remote location, an administrator logged into the Security Management Server initiates operations using the SmartUpdate tool. The Security Management Server makes contact with the Check Point Security Gateways via the processes that are running on these Gateways in order to execute the operations initiated by the system administrator (e.g., attach a license, or upload an upgrade). Information is taken from the repositories on the Security Management Server. For instance, if a new installation is being initiated, the information is retrieved from the Package Repository; if a new license is being attached to remote gateway, information is retrieved from the License & Contract Repository.

This entire process is Secure Initial Communication (SIC) based, and therefore completely secure.

SmartUpdate - Seeing it for the First Time

SmartUpdate has two tabs:

These tabs are divided into a tree structure that displays the packages installed and the licenses attached to each managed Security Gateway.

The tree has three levels:

Additionally, the following panes can be displayed:

Common Operations

Drag and Drop - Packages and licenses can be dragged and dropped from the Repositories onto the Security Gateways in the Package/Licenses Management tree. This drag and drop operation will invoke the distribute or attach operation respectively.

Search - To search for a text string: select Tools > Find. In Find what, enter a string to search for. Select search location: Network Objects License & Contract tab or Package Repository.

Sort - To sort in ascending or descending order, click the column title in the Licenses or Packages tab.

Expand or Collapse - To expand or collapse the Check Point Security Gateways tree structure, right-click on the tree root and choose Expand/Collapse.

Change view - To change the Repository view, right-click on a blank row or column in the Repository window and select an option. For example, in the Licenses Repository you can select to see only the attached licenses.

Clear Repository of completed operations - To clear a single operation, select the line in the Operation Status window and press the Delete key, or right-click and select Clear. To clear all completed operations from the Operation Status window, select Status > Clear all completed operations.

See operation details - To view operation details, in the Operation Status window, double-click the operation entry. The Operation Details window shows the operation description, start and finish times, and progress history. The window is resizable. To copy the Status lines to the clipboard, select the line, right-click and choose Copy.

Print views - To print a view, select File > Print. The Choose Window is displayed. Select the window that you would like to print, e.g., Operation Status or License & Contract Repository. Optionally, you can adjust the print setup settings, or preview the output.

See logs -

Upgrading Packages

The latest management version can be applied to a single Check Point Security Gateway, or to multiple Check Point Security Gateways simultaneously. Use the Upgrade all Packages operation to bring packages up to the most current management version.

When you perform Upgrade all Packages all products are upgraded to the latest Security Management Server version. This process upgrades both the software packages and its related HFA (that is, the most up to date HFA is installed). Once the process is over, the software packages and the latest HFA will exist in the Package Repository.

To upgrade Check Point packages to versions earlier than the latest available version, they must be upgraded one-by-one. Use the Distribute operation to upgrade packages to management versions other than the most current, or to apply specific HFAs.

In addition, SmartUpdate recognizes Gateways that do not have the latest HFA. When you right-click an HFA in the Package Repository and select Distribute for that specific HFA, you will receive a recommendation to install a new HFA on the Gateways that do not have it.

Prerequisites for Remote Upgrades

Secure Internal Communication (SIC) must be enabled between the Security Management Server and remote Check Point Security Gateways.

Retrieving Data from Check Point Security Gateways

In order to know exactly what OS, vendor and management version is on each remote gateway, you can retrieve that data directly from the gateway.

Adding New Packages to the Package Repository

To distribute (that is, install) or upgrade a package, you must first add it to the Package Repository. You can add packages to the Package Repository from the following three locations:

Download Center

  1. Select Packages > New Package > Add from Download Center.
  2. Accept the Software Subscription Download Agreement.
  3. Enter your user credentials.
  4. Select the packages to be downloaded. Use the Ctrl and Shift keys to select multiple files. You can also use the Filter to show just the packages you need.
  5. Click Download to add the packages to the Package Repository.

User Center

Use this procedure for adding OPSEC packages and Hotfixes to the Package Repository.

  1. Open a browser to the Check Point Support Center.
  2. Select the package you want to upgrade.
  3. Enter your user credentials.
  4. Accept the Software Subscription Download Agreement.
  5. Choose the appropriate platform and package, and save the download to the local disk.
  6. Select Packages > New Package > Import File.
  7. In the Add Package window, navigate to the desired .tgz file and click Open to add the packages to the Package Repository.

Check Point DVD

  1. Select Packages > New Package > Add from CD/DVD.
  2. Browse to the optical drive, and click OK.

    A window opens, showing the available packages on the DVD.

  3. Select the packages to add to the Package Repository (Ctrl-select for more than one package).
  4. Click OK.

Verifying the Viability of a Distribution

Verify that the distribution (that is, installation) or upgrade is viable based upon the Check Point Security Gateway data retrieved. The verification process checks that:

To manually verify a distribution, select Packages > Pre-Install Verifier….

Transferring Files to Remote Devices

When you are ready to upgrade or distribute packages from the Package Repository, it is recommended to transfer the package files to the devices to be upgraded. Placing the file on the remote device shortens the overall installation time, frees Security Management Server for other operations, and reduces the chance of a communications error during the distribute/upgrade process. Once the package file is located on the remote device, you can activate the distribute/upgrade whenever it is convenient.

Transfer the package file(s) to the directory $SUROOT/tmp on the remote device. If this directory does not exist, do one of the following:

Distributions and Upgrades

You can upgrade all packages on one remote gateway, or you can distribute specific packages one-by-one for all Gateways.

Upgrading All Packages on a Check Point Remote Gateway

  1. Click Packages > Upgrade all Packages.
  2. From the Upgrade All Packages window, select the Check Point Security Gateways that you want to upgrade. Use the Ctrl and Shift keys to select multiple devices.

    Note - The Reboot if required option (selected by default) is required, to activate the newly distributed package.

  3. If one or more of the required packages are missing from the Package Repository, the Download Packages window opens. Download the required package directly to the Package Repository.
  4. Click Upgrade.

    The installation proceeds only if the upgrade packages for the selected packages are available in the Package Repository.

Updating a Single Package on a Check Point Remote Gateway

Use this procedure to select the specific package that you want to apply to a single package. The distribute function allows you to:

To update a single package on a remote gateway:

  1. In the Package Management window, click the Check Point Security Gateway to upgrade.
  2. Select Packages > distribute.
  3. From the distribute Packages window, select the package to distribute.

    Use the Ctrl and Shift keys to select multiple packages, and click distribute.

    The installation proceeds only if the upgrade packages selected are available in the Package Repository.

Upgrading UTM-1 Edge Firmware with SmartUpdate

The UTM-1 Edge gateway firmware represents the software that is running on the appliance. The UTM-1 Edge gateway's firmware can be viewed and upgraded using SmartUpdate. This is a centralized management tool that is used to upgrade all Gateways in the system by downloading new versions from the download center. When installing new firmware, the firmware is prepared at the Security Management Server, downloaded and subsequently installed when the UTM-1 Edge gateway fetches for updates. Since the UTM-1 Edge gateway fetches at periodic intervals, you will notice the upgraded version on the gateway only after the periodic interval has passed.

If you do not want to wait for the fetch to occur you can download the updates with the Push Packages Now (UTM-1 Edge only) option in the Packages menu. With this option it is possible to create a connection with UTM-1 Edge in order to access new (that is, the latest) software package(s). The distribution is immediate and avoids the need to wait for the fetch to get the package.

Canceling and Uninstalling

You can stop a Distributed installation or upgrade while in progress.

To stop a Distributed installation or upgrade:

From the SmartUpdate Menu, select Operation > Stop Operation.

To uninstall a package:

From the SmartUpdate Menu, select Packages > Uninstall.

Note - Uninstallation restores the gateway to the last management version distributed.

Restarting the Check Point Security Gateway

After you distribute an upgrade or uninstall, reboot the gateway.

To restart the gateway:

Recovering from a Failed Upgrade

If an upgrade fails on SecurePlatform, SmartUpdate restores the previously distributed version.

SecurePlatform Automatic Revert

If an upgrade or distribution operation fails on a SecurePlatform device, the device will reboot itself and automatically revert to the last version distributed.

Snapshot Image Management on SecurePlatform Gateways

Before performing an upgrade, you can use the command line to create a Snapshot image of the SecurePlatform OS, or of the packages distributed. If the upgrade or distribution operation fails, you can use the command line to revert the disk to the saved image.

Note - Snapshot files are stored at /var/CPsnapshot on the gateway.

Deleting Packages from the Package Repository

To clear the Package Repository of extraneous or outdated packages, select a package, or Ctrl-select multiple packages and select Packages > Delete Package. This operation cannot be undone.

Managing Licenses

With SmartUpdate, you can manage all licenses for Check Point packages throughout the organization from the Security Management Server. SmartUpdate provides a global view of all available and installed licenses, allowing you to perform such operations as adding new licenses, attaching licenses and upgrading licenses to Check Point Security Gateways, and deleting expired licenses. Check Point licenses come in two forms, Central and Local.

When you add a license to the system using SmartUpdate, it is stored in the License & Contract Repository. Once there, it must be installed to the gateway and registered with the Security Management Server. Installing and registering a license is accomplished through an operation known as attaching a license. Central licenses require an administrator to designate a gateway for attachment, while Local licenses are automatically attached to their respective Check Point Security Gateways.

Licensing Terminology

License Upgrade

One of the many SmartUpdate features is to upgrade licenses that reside in the License & Contract Repository. SmartUpdate will take all licenses in the License & Contract Repository, and will attempt to upgrade them with the use of the Upgrade tool.

The License Attachment Process

Introducing the License Attachment Process

When a Central license is placed in the License & Contract Repository, SmartUpdate allows you to attach it to Check Point packages. Attaching a license installs it to the remote gateway and registers it with the Security Management Server.

New licenses need to be attached when:

Attaching a license is a three step process.

  1. Get real-time license data from the remote gateway.
  2. Add the appropriate license to the License & Contract Repository.
  3. Attach the license to the device.

The following explains the process in detail.

Retrieving License Data from Check Point Security Gateways

To know exactly what type of license is on each remote gateway, you can retrieve that data directly from the gateway.

Adding New Licenses to the License & Contract Repository

To install a license, you must first add it to the License & Contract Repository. You can add licenses to the License & Contract Repository in the following ways:

Download From the User Center
  1. Select Network Objects License & Contract tab > Add License > From User Center
  2. Enter your credentials.
  3. Perform one of the following:
    • Generate a new license (If there are no identical licenses, the license is added to the License & Contract Repository).
    • Change the IP address of an existing license, that is, Move IP.
    • Change the license from Local to Central.
Importing License Files
  1. Select Licenses & Contract > Add License > From File.
  2. Browse to the location of the license file, select it, and click Open.

A license file can contain multiple licenses. Unattached Central licenses appear in the License & Contract Repository, and Local licenses are automatically attached to their Check Point Security Gateway. All licenses are assigned a default name in the format SKU@ time date, which you can modify at a later time.

Add License Details Manually

You may add licenses that you have received from the Licensing Center by email. The email contains the license installation instructions.

  1. Locate the license:
    • If you have received a license by email, copy the license to the clipboard. Copy the string that starts with cplic putlic... and ends with the last SKU/Feature.
    • For example: cplic putlic 1.1.1.1 06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-EVAL-3DES-NGX CK-1234567890
    • If you have a hard copy printout, continue to step 2.
  2. Select the Network Objects License & Contract tab in SmartUpdate.
  3. Select Licenses > Add License > Manually. The Add License window appears.
  4. Enter the license details:
    • If you copied the license to the clipboard, click Paste License. The fields will be populated with the license details.
    • Alternatively, enter the license details from a hard-copy printout.
  5. Click Calculate, and make sure the result matches the validation code received from the User Center.
  6. You may assign a name to the license, if desired. If you leave the Name field empty, the license is assigned a name in the format SKU@ time date.
  7. Click OK to complete the operation.

Attaching Licenses

After licenses have been added to the License & Contract Repository, select one or more licenses to attach to a Check Point Security Gateway.

  1. Select the license(s).
  2. Select Network Objects License & Contract tab > Attach.
  3. From the Attach Licenses window, select the desired device.

If the attach operation fails, the Local licenses are deleted from the Repository.

Detaching Licenses

Detaching a license involves deleting a single Central license from a remote Check Point Security Gateway and marking it as unattached in the License & Contract Repository. This license is then available to be used by any Check Point Security Gateway.

To detach a license, select Network Objects License & Contract tab > Detach and select the licenses to be detached from the displayed window.

Deleting Licenses from the License & Contract Repository

Licenses that are not attached to any Check Point Security Gateway and are no longer needed can be deleted from the License & Contract Repository.

To delete a license:

  1. Right-click anywhere in the License & Contract Repository and select View Unattached Licenses.
  2. Select the unattached license(s) to be deleted, and click Delete.

Viewing License Properties

The overall view of the License & Contract Repository displays general information on each license such as the name of the license and the IP address of the machine to which it is attached. You can view other properties as well, such as expiration date, SKU, license type, certificate key and signature key.

To view license properties, double-click on the license in the Licenses tab.

Checking for Expired Licenses

After a license has expired, the functionality of the Check Point package will be impaired; therefore, it is advisable to be aware of the pending expiration dates of all licenses.

To check for expired licenses, select Licenses > Show Expired Licenses.

To check for licenses nearing their dates of expiration:

  1. In the License Expiration window, set the Search for licenses expiring within the next x days property.
  2. Click Apply to run the search.

To delete expired licenses from the License Expiration window, select the detached license(s) and click Delete.

Exporting a License to a File

Licenses can be exported to a file. The file can later be imported to the License & Contract Repository. This can be useful for administrative or support purposes.

To export a license to a file:

  1. In the Licenses Repository, select one or more licenses, right-click, and from the menu select Export to File….
  2. In the Choose File to Export License(s) To window, name the file (or select an existing file), and browse to the desired location. Click Save.

All selected licenses are exported. If the file already exists, the new licenses are added to the file.

Managing Licenses Using SmartUpdate

To manage licenses using SmartUpdate, select the SmartUpdate view in the SmartDomain Manager Selection Bar. If you loaded SmartUpdate, you can also right-click a Multi-Domain Server object and select Applications > SmartUpdate from the Options menu. Licenses for components and blades are stored in a central repository.

To view repository contents:

  1. Select SmartUpdate from the SmartDomain Manager Main menu.
  2. Select SmartUpdate > Network Objects License & Contract > View Repository. The repository pane shows in the SmartUpdate view.

To add new licenses to the repository:

  1. Select SmartUpdate from the SmartDomain Manager Main menu.
  2. Select SmartUpdate > Network Objects License & Contract > Add License.
  3. Select a method for adding a license:
    • From User Center - Obtain a license file from the User Center.
    • From file - Import a license file to the repository.
    • Manually - Open the Add License window and enter licenses information manually. You can copy the license string from a file and click Past License to enter the data.

    You can now see the license in the repository.

To attach a license to a component:

  1. Select SmartUpdate from the SmartDomain Manager Main menu.
  2. Select SmartUpdate > Network Objects License & Contract > Attach License.
  3. Select a license from the Attach Licenses window. The license shows as attached in the repository.

You can manage other license tasks with SmartUpdate. See the R77 Security Management Administration Guide.

Web Security License Enforcement

A gateway or gateway cluster requires a Web Security license if it enforces one or more of the following protections:

Service Contracts

Before upgrading a gateway or Security Management Server, you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file is stored on Security Management Server and downloaded to Check Point Security Gateways during the upgrade process. By verifying your status with the User Center, the contract file enables you to easily remain compliant with current Check Point licensing standards.

For more on service contracts, see the Service Contract Files Web page.

Generating CPInfo

CPInfo is a support tool that gathers into one text file a wide range of data concerning the Check Point packages in your system. When speaking with a Check Point Technical Support Engineer, you may be asked to run CPInfo and transmit the data to the Support Center. Download the tool from the Support Center.

To launch CPInfo, select Tools > Generate CPInfo.

  1. Choose the directory to which you want to save the output file.
  2. Choose between two methods to name the file:
    • based on the SR number the technician assigns you, or
    • a custom name that you define.
  3. Optionally, you may choose to add:
    • log files to the CPInfo output.
    • the registry to the CPInfo output.

Sending CPinfo to Check Point Automatically

SmartUpdate lets you automatically generate and send CPinfo to Check Point Technical support.

To automatically generate and send CPinfo:

  1. Open SmartUpdate.
  2. Right click a Security Gateway or Security Management Server.
  3. Select Upload CPInfo to Check Point.

    The Upload CPinfo from... window opens.

  4. Enter your User Center authentication credentials (email and password) and SR number.
  5. Select Download and install latest CPInfo package.
  6. Enter an SR Number if you have one.
  7. Click Upload More files if you want to send additional files.

    Click Add to enter the full path to the remote file on the remote gateway or Security Management Server.

  8. Click OK.

    The Operation Status window opens.

    • CPinfo generates the data, encrypts and transfers the data to the User Center.
    • After the secure file upload successfully completes, an email notification is sent to the email address specified in step 3.

The SmartUpdate Command Line

All management operations that are performed via the SmartUpdate GUI can also be executed via the command line. There are three main commands:

For details on how to use these commands, see the R77 Command Line Interface Reference Guide.