Central Deployment of Hotfixes and Version Upgrades

Introduction

Use Central Deployment in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to perform batch deployment of:

You can Deploy a Hotfix or Upgrade Package from:

To use Central Deployment through the API, see the Check Point Management API Reference.

Best Practice - Use the Package Repository on the Management Server if the target's connectivity to the Management Server is better than the target's connectivity to the cloud, or if the target is overloaded with traffic.

Note - You can select up to 30 Security Gateways and Cluster Members, but installation can take place only on 10 targets at the same time. The Management Server places each target above the 10th in a queue. Each time an installation completes on one of the targets, the Management Server installs it on the next target in the queue.

Some Security Gateways have Recommended Hotfixes. See the Recommended Jumbo column in the Gateways & Servers view:

You can deploy a Recommended Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. or a specific Jumbo Hotfix Accumulator take.

Prerequisites

To use Central Deployment:

To use Central Deployment directly from the Check Point Cloud:

  1. The Management Server must be able to connect to the Check Point Cloud.

  2. The target Security Gateways and Cluster Members must be able to connect to the Check Point Cloud.

To install the Recommended Jumbo Hotfix Accumulator on the target Security Gateways and Cluster Members, at least these Jumbo Hotfix Accumulator takes must be installed:

Target Version

Minimal Jumbo Hotfix Accumulator Take

R80.40 and higher

Any take.

R80.30

Take 76 or higher.

R80.20

Take 118 or higher.

R80.10

Take 245 or higher.

Limitations

Installation

Notes:

  • If different targets have different recommended Hotfixes or Upgrade Packages, each target gets its applicable recommended Hotfix or Upgrade Package.

  • Before you install a firmware on a Quantum Spark appliance that runs Gaia Embedded operating system, you must disconnect an external storage from the USB port (at minimum, make sure it does not contain firmware images for Quantum Spark appliances).

How the Central Deployment Upgrades a Cluster

When you use the Central Deployment to install a software package on all members of a ClusterXL in High Availability mode or VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster (non-VSLS), the Central Deployment follows these steps:

  1. Verifies that the states of the Cluster Members are valid (Active and Standby).

  2. Prepares the Access Control Policy for the Cluster:

    1. Changes the version in the Cluster object.

    2. Changes the applicable configuration settings and Access Control Policy.

  3. Upgrades the Standby Cluster Member to the new version.

  4. Runs a Multi-Version Cluster (MVC):

    1. Makes sure the upgraded Cluster Member is in the Standby or Ready state.

    2. Performs cluster failover to one of the upgraded Cluster Members.

  5. Upgrades the former Active Cluster Member.

  6. Verifies that the states of the Cluster Members are valid (Active and Standby).