Introduction
Recently I was tasked with patching a Check Point Security Gateway (or installing a Jumbo Hotfix Accumulator as the Check Point people would say) and I ran into some trouble due to the actual software that installs the patch onto the system being out of date and needed to be upgraded first.
Seems easy enough, but I ran into a weird issue.
The software that installs patches/upgrades in Check Point Security Gateways (the firewalls) and Check Point Security Management Servers is called CPUSE DA, which stands for Check Point Upgrade Service Engine Deployment Agent.
In my case, I was running version R80.30 on the Security Gateway and Deployment Agent version 1806. To install the patch Jumbo Hotfix Accumulator (“Take 294”) I had to have a Deployment Agent version of 1899 or higher.
So to continue installing the patch I first had to update the Deployment Agent, which in most production environments is usually easily done over the internet by letting the firewall connect to the Check Point cloud services. However, if your firewall lacks internet access to need to download the Deployment Agent file from Check Point’s website and then manually upload it to the unit (firewall/server) you wish to update.
Offline installation procedure
Start by downloading the Deployment Agent update file by heading over to Check Point’s Supportcenter website and searching for “deployment agent” or similar, there should be a Secure Knowledge article (or “SK”) somewhere at the top with a download link to the actual file.
Next, we need to login to the Gaia web-GUI of the unit we are going to update, navigate in the left menu to Upgrade (CPUSE) > Status and Actions to get to the main window for patching/upgrading your unit. Here you can see both which version your firewall/server is running and which version of Deployment Agent is running. To the right of this information, you have several buttons with different actions, and one of the says Install DA.
Sometimes the Install DA button looks a bit broken, but it’s usually the first button on the left, as per the image below.
The Problem
Clicking on the Install DA button gives you the ability to upload a file and informs you that the new Deployment Agent file should be uploaded to the Security Gateway as a .TGZ-file, which is the format you’d get the file in if you downloaded it directly from Check Point’s website. However, when I tried to upload the file as a .TGZ-file, I got an error message saying the file is in an incorrect format and could not be extracted, which seems kind of weird since I downloaded the file directly from Check Point and it all looks correct from my point of view.
The Solution
The solution to this was to unpack the .TGZ-file using software such as 7Zip or WinRAR on my PC first, to extract the .TAR-file that was inside the .TGZ-file. I then went back to the Install DA button in the web-GUI and uploaded the file, which was now accepted, and the update went through successfully.
Maybe this was just some weird bug in version R80.30 or with the old Deployment Agent that the firewall was running because I did run into the same issue once it was time to install the virtual Security Management Server (also version R80.30) for the firewall in question, which was solved in the same way by unpacking the .TGZ-file until I had a regular .TAR-file to upload and install from.
As someone fairly new to Check Point, I don’t know if this was something I just “should’ve known”, but looking at the Check Point Community forums I could see that I was not the only one running into this issue. I also tried installing the Deployment Agent update using the CLI, but I ran into the same problem of the firewall telling me the file (.TGZ) was in an incorrect format/file. On the forums, there were even some cases where some people had to further unpack the .TAR-file to get access to the actual .RPM-file (which is the file format used in Linux for software and updates) and use that to issue the update.
All-in-all a silly issue with a simple solution, but I know I might not remember if a time comes where I’m stuck at the same issue again, so I might as well write it down here.