Installing a Hotfix on a Single Chassis

This procedure describes the Full Connectivity installation of an Offline CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. package on a Single Chassis.

Important Notes

It is not supported to upgrade the CPUSE Deployment Agent on SGMs in a Security Group.
This procedure keeps the current connections in a Security Group A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway..
This procedure applies to Security Groups in Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. mode and VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode.

In VSX mode, you must run all the commands in the context of VS0.
If you finished a clean install on this chassis, then you can install a Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. only after you run the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard.

Do not install the hotfix on all the SGMs at the same time.

If you do so with the command below, traffic stops passing through all SGMs until the hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. is installed:

installer install <Number of CPUSE Package> member_ids all

In this procedure, you divide all SGMs in a specific Security Group into two or more logical groups.

In the procedure below, we use two logical groups denoted below as "A" and "B".

You install the hotfix on one logical group of the SGMs at one time.

The other logical group(s) of the SGMs continues to handle traffic.

Each logical group should contain the same number of SGMs - as close as possible.

Examples:

Environment	Description
Single Chassis	There are 8 SGMs in the Security Group. The Logical Group "A" contains SGMs from 1_1 to 1_4. The Logical Group "B" contains SGMs from 1_5 to 1_8.
Single Chassis	There are 5 SGMs in the Security Group. The Logical Group "A" contains SGMs from 1_1 to 1_3. The Logical Group "B" contains SGMs from 1_4 to 1_5.

Best Practice - Perform this procedure over the serial console.

Procedure

Step 1 - Perform the preliminary steps

Step

Instructions

Make sure you have the applicable CPUSE offline package or the exported CPUSE package.

Transfer the CPUSE offline or exported package to the Chassis (into some directory, for example: /home/admin/).

Connect to the command line on the Chassis.

Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Go to the Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Gateway Modules. Commands you run in this shell apply to all Security Gateway Module in the Security Group.:

gclish

Import the CPUSE package from the hard disk:

installer import local /<Full Path>/<Name of the CPUSE Offline Package>

Example:

[Global] HostName-ch01-01 > installer import local /home/admin/Check_Point_R81.10_Hotfix_Bundle_FULL.tar

Show the imported CPUSE packages:

show installer packages imported

Make sure the imported CPUSE package can be installed on this Chassis:

installer verify[Press the Tab key]

installer verify <Number of CPUSE Package> member_ids all

Example:

[Global] HostName-ch01-01 > installer verify 2 member_ids all
... ...
Update Service Engine
+------------------------------------------------------------------------------+
|Member ID    |Status                                                          |
+-------------+----------------------------------------------------------------+
|1_01 (local) |Installation is allowed.                                        |
|1_02         |Installation is allowed.                                        |
|1_03         |Installation is allowed.                                        |
|1_04         |Installation is allowed.                                        |
|1_05         |Installation is allowed.                                        |
|1_06         |Installation is allowed.                                        |
|1_07         |Installation is allowed.                                        |
|1_08         |Installation is allowed.                                        |
+-------------+----------------------------------------------------------------+
[Global] HostName-ch01-01 >

Step 2 - Disable the SMO Image Cloning feature

Note - The SMO See "SMO". Image Cloning feature automatically clones all the required software packages to the SGMs during their boot. When you install or remove software packages gradually on SGMs, it is necessary to disable this feature, so that after a reboot the updated SGMs do not clone the software packages from the existing non-updated SGMs.

Step

Instructions

Connect to the command line on the Security Group.

If your default shell is /bin/bash (Expert mode), then go to Gaia gClish:

gclish

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

Disable the SMO Image Cloning feature, if it is enabled:

set smo image auto-clone state off

Examine the state of the SMO Image Cloning feature:

show smo image auto-clone state

Step 3 - Install the Hotfix on SGMs in the Logical Group "A"

Step

Instructions

Connect in one of these ways:

Connect to one of the SGMs in the Logical Group "A" through the console.
Connect to one of the SGMs in the Logical Group "B" over SSH.

Go to the context of one of the SGMs in the Logical Group "A":

member <Member ID>

Example:

member 1_1

Go to the Expert mode.

expert

Set the SGMs in the Logical Group "A" to the state "DOWN":

g_clusterXL_admin –b <SGM IDs in Group "A"> down

Example:

[Expert@HostName-ch0x-0x:0]# g_clusterXL_admin -b 1_1-1_4 down

Go to the Gaia gClish:

gclish

Install the CPUSE package on SGMs in the Logical Group "A":

installer install [Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "A"

Example:

[Global] HostName-ch01-01> installer install 2 member_ids 1_1-1_4
... ...
Update Service Engine
+------------------------------------------------------------------------------+
|Member ID    |Status                                                          |
+-------------+----------------------------------------------------------------+
|1_01 (local) |Package is ready for installation                               |
|1_02         |Package is ready for installation                               |
|1_03         |Package is ready for installation                               |
|1_04         |Package is ready for installation                               |
+-------------+----------------------------------------------------------------+
The machines (1_02,1_02,1_03,1_04) will automatically reboot after install.
Do you want to continue? ([y]es / [n]o) y

Go to the Expert mode.

expert

Monitor the SGMs in the Logical Group "A" until they boot:

asg monitor

Step 4 - Install the Hotfix on SGMs in the Logical Group "B"

Step

Instructions

Connect in one of these ways:

Connect to one of the SGMs in the Logical Group "B" through the console.
Connect to one of the SGMs in the Logical Group "A" over SSH.

Go to the context of one SGMs in the Logical Group "B":

member <Member ID>

Example:

member 1_5

Go to Gaia gClish:

gclish

Upgrade the SGMs in the Logical Group "B":

installer install[Press the Tab key]

installer install <Number of CPUSE Package> member_ids <SGM IDs in Group "B">

Example:

[Global] HostName-ch01-01 > installer install 2 member_ids 1_5-1_8
... ...
Update Service Engine
+------------------------------------------------------------------------------+
|Member ID    |Status                                                          |
+-------------+----------------------------------------------------------------+
|1_05 (local) |Package is ready for installation                               |
|1_06         |Package is ready for installation                               |
|1_07         |Package is ready for installation                               |
|1_08         |Package is ready for installation                               |
+-------------+----------------------------------------------------------------+
The machines (1_05,1_06,1_07,1_08) will automatically reboot after install.
Do you want to continue? ([y]es / [n]o) y

Go to the Expert mode.

expert

Monitor the Security Group Members in the Logical Group "B" until they boot:

asg monitor

Step 6 - Make sure the Hotfix is installed

Step

Instructions

Connect to the command line on the Security Group.

Go to the Expert mode.

expert

Run:

asg diag verify