Thursday, November 26, 2015

Troubleshooting update R77.30

This article is helpful to update CheckPoint firewall when there are problems with confd process.
In this situation cpu utilization is 99% and it is very difficult to work in clish.



Update firewall to R77.30 permit to solve this problem.
 -----------------------------------------------------




The first thing to do is to update Deployment Agent (CPUSE)

  1. To check the version installed of Gaia Software Updates Agent, run :
[Expert@HostName]# cpvinfo $DADIR/bin/DAService | grep -E "Build|Minor" 
  1. Download the latest version of cpuse from usercenter and copy it to the firewall.

  2.  Unzip packet Software Updates Agent: [Expert@HostName]# tar -zxvf DeploymentAgent_000000822_1.tgz
  3. Install Gaia Software Updates Agent RPM
[Expert@HostName]# rpm -Uhv --force CPda-00-00.i386.rpm 
      5. Run Gaia Software Updates Agent: [Expert@HostName]# $DADIR/bin/dastart

At this point it is important to check if there is space availability. Use the command
[Expert@HostName]# df -h 

It would be good if the root partition had at least 2,5 or 3 gb of free space.

If the free space is not enough you can use this command (from root position) to understand which directories use most of the disk space

 [Expert@HostName]# du -sh *
Sample output
--------------------------------------------------------------------------------
[Expert@xxxxxx:0]# du -sh *
0       CPMILinksMgr.db.private
0       DEBUG
48K     DOCS
4.0K    License.txt
21M     bin
14M     boot
952K    bootsplash.log
4.0K    cliapiStart
4.0K    cliapiend
5.1M    config
164K    dev
97M     etc
1.1G    home
4.0K    initrd
124M    lib
1.5M    lib64
16K     lost+found
8.0K    mnt
0       op
6.0G    opt
0       proc
4.0K    ramdisk
40K     root
27M     sbin
0       selinux
0       sys
1.1G    sysimg
562M    tmp
125M    usr
210G    var
42M     web


It can be helpful use command fuser namefile to understand which processes are using a particular file. After, to delete the file, you can kill that process or you can use cpstop.

When you have freed disk space you can proceed to upgrade.


First of all you have to download R77.30 using CPUSE with the command

namefirewall> installer download  (space) + press <TAB>
**  ************************************************************************* **
**                                 Hotfixes                                   **
**  ************************************************************************* **
Num Display name                                      Status
1   R77.30 Hotfix for sk106196 (Policy installatio... Available for Download
2   R77.30 Hotfix for sk106499 (Check Point respon... Available for Download
3   R77.30 Hotfix for sk106334 (Memory consumption... Available for Download
4   R77.30 Hotfix for sk106994 (Improved overlappi... Available for Download
**  ************************************************************************* **
**                                   HFAs                                     **
**  ************************************************************************* **
Num Display name                                      Status
5   R77.30 SmartConsole for Windows                   Available for Download
6   R77.30 Add-on package                             Available for Download
**  ************************************************************************* **
**                                  Majors                                    **
**  ************************************************************************* **
Num Display name                                      Status
7   R76 Fresh Install                                 Available for Download
8   R77.30 Fresh Install and Upgrade from R75.4X /... Available for Download
9   R77.10 Fresh Install and Upgrade from R76 / R7... Available for Download
10  R77.20 Fresh Install and Upgrade from R75.4X /... Available for Download
11  R75.46 Fresh Install                              Available for Download
12  R77 Fresh Install and Upgrade from R71.50 / R7... Available for Download
13  R75.40VS Fresh Install

When you've found the update of R77.30 you can download it with the command:

namefirewall> installer download xx (xx is the number of update)
When it finisched the download, you can proceed to update with the command:


namefirewall> installer install xx (xx is the number of update, to know what is the new number of update run installer install (space) + press <TAB>)


Probably all the procedure will be very slow because of clish, however you can understand if the update is working by:

1) Run command show installer package xx (xx is the number of update, to know what is the new number of update run show installer package (space) + press <TAB>). One useful info is the name of the logfile name( to use below)


2) Goto expert shell and check if there is a process bound to the update with command ps -auxwww

3) Understand if some process is writing into the logfile in the directory /opt/CPInstLog. Check latest files with command ls -lart inside directory

At the end of process firewall will reboot automatically.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)