Jan 06 2026 dev (#387)

* sync code * update code to support brotli * update code to support brotli * update code to support brotli * sync code * fix findBrotli * sync code * sync code * sync code * sync code --------- Co-authored-by: Ned Wright <nedwright@proton.me> Co-authored-by: Daniel Eisenberg <danielei@checkpoint.com>
2026-01-17 16:00:26 +03:00 · 2026-01-13 17:17:52 +02:00
parent c1058db57d
commit e7b6e51b31
216 changed files with 12601 additions and 2825 deletions
--- a/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
+++ b/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
@@ -68,6 +68,15 @@ checkSAMLPortal(const string &command_output)
    return string("false");
 }

+Maybe<string>
+checkIdaPDP(const string &command_output)
+{
+    if (command_output.find("is_collecting_identities (true)") != string::npos) {
+        return string("true");
+    }
+    return string("false");
+}
+
 Maybe<string>
 checkInfinityIdentityEnabled(const string &command_output)
 {
@@ -139,6 +148,14 @@ checkIsInstallHorizonTelemetrySucceeded(const string &command_output)
    return command_output;
 }

+Maybe<string>
+checkIsCME(const string &command_output)
+{
+    if (command_output == "" ) return string("false");
+
+    return command_output;
+}
+
 Maybe<string>
 getOtlpAgentGaiaOsRole(const string &command_output)
 {
@@ -147,6 +164,129 @@ getOtlpAgentGaiaOsRole(const string &command_output)
    return command_output;
 }

+
+// Helper function for case-insensitive substring search
+inline bool
+containsIgnoreCase(const string& text, const string& pattern) {
+    string lowerText = text;
+    string lowerPattern = pattern;
+    transform(lowerText.begin(), lowerText.end(), lowerText.begin(), ::tolower);
+    transform(lowerPattern.begin(), lowerPattern.end(), lowerPattern.begin(), ::tolower);
+    return lowerText.find(lowerPattern) != string::npos;
+}
+
+inline Maybe<string>
+extractValue(const string& line, const string& field) {
+    size_t colonPos = line.find(':');
+    if (colonPos == string::npos) {
+        return Maybe<string>(Error<string>("no match"));
+    }
+    string key = line.substr(0, colonPos);
+    string value = line.substr(colonPos + 1);
+    key.erase(0, key.find_first_not_of(" \t"));
+    key.erase(key.find_last_not_of(" \t") + 1);
+    value.erase(0, value.find_first_not_of(" \t"));
+    value.erase(value.find_last_not_of(" \t") + 1);
+    if (containsIgnoreCase(key, field)) {
+        return Maybe<string>(value);
+    }
+    return Maybe<string>(Error<string>("no match"));
+}
+
+inline std::pair<std::string, std::string>
+parseDmidecodeOutput(const std::string& dmidecodeOutput) {
+    string manufacturer;
+    string product;
+    istringstream stream(dmidecodeOutput);
+    string line;
+    while (getline(stream, line)) {
+        if (manufacturer.empty()) {
+            auto extractedManufacturer = extractValue(line, "Manufacturer");
+            if (extractedManufacturer.ok() && !extractedManufacturer->empty()) {
+                manufacturer = *extractedManufacturer;
+            }
+        }
+        if (product.empty()) {
+            auto extractedProduct = extractValue(line, "Product Name");
+            if (extractedProduct.ok() && !extractedProduct->empty()) {
+                product = *extractedProduct;
+            }
+        }
+        if (!manufacturer.empty() && !product.empty()) {
+            break;
+        }
+    }
+
+    return make_pair(manufacturer, product);
+}
+
+Maybe<string>
+getAiopCgnsHardwareType(const string &command_output)
+{
+    if (command_output == "" ) return string("NA");
+
+    auto pair = parseDmidecodeOutput(command_output);
+
+    if (containsIgnoreCase(pair.first, "Amazon")) {
+        return string("AWS");
+    }
+    if (containsIgnoreCase(pair.first, "Microsoft")) {
+        return string("Azure");
+    }
+    if (containsIgnoreCase(pair.first, "Google")) {
+        return string("Google Cloud");
+    }
+    if (containsIgnoreCase(pair.first, "Oracle")) {
+        return string("OCI");
+    }
+    if (containsIgnoreCase(pair.first, "Alibaba")) {
+        return string("Alibaba");
+    }
+    if (containsIgnoreCase(pair.second, "VMware")) {
+        return string("VMware");
+    }
+    if (containsIgnoreCase(pair.first, "OpenStack")) {
+        return string("OpenStack");
+    }
+
+    // Check for KVM (manufacturer OR product)
+    if (containsIgnoreCase(pair.first, "QEMU") || containsIgnoreCase(pair.second, "KVM")) {
+        return string("KVM");
+    }
+
+    if (containsIgnoreCase(pair.first, "Xen")) {
+        return string("Xen");
+    }
+    if (containsIgnoreCase(pair.first, "Nutanix")) {
+        return string("Nutanix");
+    }
+
+    return string("NA");
+}
+
+Maybe<string>
+getAiopsCgnsCloudVendor(const string &command_output)
+{
+    if (command_output == "" ) return string("NA");
+
+    string platform = "NA";
+    istringstream stream(command_output);
+    string line;
+    while (getline(stream, line)) {
+        if (line.find("platform") != string::npos) {
+            size_t colonPos = line.find(' ');
+            if (colonPos != string::npos) {
+                platform = line.substr(colonPos + 1);
+                platform.erase(0, platform.find_first_not_of(" \t"));
+                platform.erase(platform.find_last_not_of(" \t") + 1);
+                break;
+            }
+        }
+    }
+
+    return platform;
+}
+
 Maybe<string>
 getQUID(const string &command_output)
 {
@@ -158,11 +298,24 @@ getQUID(const string &command_output)
    return command_output;
 }

+// Handler for a comma-separated list of QUIDs
 Maybe<string>
-getIsAiopsRunning(const string &command_output)
+getQUIDList(const string &command_output)
 {
-    if (command_output == "" ) return string("false");
-    
+    if (command_output.empty()) {
+        return string("false");
+    }
+
+    std::istringstream ss(command_output);
+    std::string quid;
+
+    while (std::getline(ss, quid, ',')) {
+        const auto res = getQUID(quid);
+        if (!res.ok()) {
+            return res; // Return the error directly with context from getQUID
+        }
+    }
+
    return command_output;
 }

@@ -349,6 +502,15 @@ getGWIPAddress(const string &command_output)
    return getAttr(command_output, "IP Address was not found");
 }

+Maybe<string>
+getGWIPv6Address(const string &command_output)
+{
+    if (command_output.empty() || command_output == "null") {
+        return genError("IPv6 Address was not found");
+    }
+    return string(command_output);
+}
+
 Maybe<string>
 getGWVersion(const string &command_output)
 {
@@ -366,7 +528,7 @@ checkIfSdwanRunning(const string &command_output)
 Maybe<string>
 getClusterObjectIP(const string &command_output)
 {
-    return getAttr(command_output, "Cluster object IP was not found");
+    return command_output;
 }

 Maybe<string>
--- a/components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
+++ b/components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
@@ -46,27 +46,33 @@ SHELL_CMD_HANDLER("prerequisitesForHorizonTelemetry",
    "FS_PATH=<FILESYSTEM-PREFIX>; [ -f ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log ] "
    "&& head -1 ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log || echo ''",
    checkIsInstallHorizonTelemetrySucceeded)
-SHELL_CMD_HANDLER(
-    "IS_AIOPS_RUNNING",
-    "FS_PATH=<FILESYSTEM-PREFIX>; "
-    "PID=$(ps auxf | grep -v grep | grep -E ${FS_PATH}.*cp-nano-horizon-telemetry | awk -F' ' '{printf $2}'); "
-    "[ -z \"${PID}\" ] && echo 'false' || echo 'true'",
-    getIsAiopsRunning)
+SHELL_CMD_HANDLER("isCME", "[ -d /opt/CPcme ] && echo 'true' || echo 'false'", checkIsCME)
 #endif
 #if defined(gaia)
 SHELL_CMD_HANDLER("GLOBAL_QUID", "[ -d /opt/CPquid ] "
    "&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo ''",
    getQUID)
 SHELL_CMD_HANDLER("QUID", "FS_PATH=<FILESYSTEM-PREFIX>;"
-    "VS_ID=$(echo \"${FS_PATH}\" | grep -o -E \"vs[0-9]+\" | grep -o -E \"[0-9]+\");"
-    "[ -z \"${VS_ID}\" ] && "
-    "(python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo '');"
-    "[ -n \"${VS_ID}\" ] && "
-    "(sed \"s|###VS_ID###|${VS_ID}|g\" /opt/CPotelcol/quid_api/get_vs_quid.json"
-    " > /opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID}); "
-    "[ -n \"${VS_ID}\" ] && [ -f /opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} ] && "
-    "(python3 /opt/CPquid/Quid_Api.py -i "
-    "/opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} | jq -r .message[0].QUID || echo '');",
+    "IS_MDS=$(cpprod_util CPPROD_IsConfigured PROVIDER-1 2>/dev/null | tr -d ' ');"
+    "if [ \"${IS_MDS}\" = \"1\" ]; then "
+        "DOMAIN_NAME=$(echo \"${FS_PATH}\" | grep -o -E \"domain-[^/]+\" | sed 's|domain-||');"
+        "[ -z \"${DOMAIN_NAME}\" ] && echo '' && exit 0;"
+        "sed \"s|###DOMAIN_NAME###|${DOMAIN_NAME}|g\" /opt/CPotelcol/quid_api/get_mds_quid.json"
+        " > /opt/CPotelcol/quid_api/get_mds_quid.json.${DOMAIN_NAME};"
+        "[ -f /opt/CPotelcol/quid_api/get_mds_quid.json.${DOMAIN_NAME} ] && "
+        "python3 /opt/CPquid/Quid_Api.py -i "
+        "/opt/CPotelcol/quid_api/get_mds_quid.json.${DOMAIN_NAME} 2>/dev/null | jq -r .message[0].MDS_QUID || echo '';"
+    "else "
+        "VS_ID=$(echo \"${FS_PATH}\" | grep -o -E \"vs[0-9]+\" | grep -o -E \"[0-9]+\");"
+        "[ -z \"${VS_ID}\" ] && "
+        "(python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo '');"
+        "[ -n \"${VS_ID}\" ] && "
+        "(sed \"s|###VS_ID###|${VS_ID}|g\" /opt/CPotelcol/quid_api/get_vs_quid.json"
+        " > /opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID}); "
+        "[ -n \"${VS_ID}\" ] && [ -f /opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} ] && "
+        "(python3 /opt/CPquid/Quid_Api.py -i "
+        "/opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} | jq -r .message[0].QUID || echo '');"
+    "fi",
    getQUID)
 SHELL_CMD_HANDLER("SMO_QUID", "[ -d /opt/CPquid ] "
    "&& python3 /opt/CPquid/Quid_Api.py -i "
@@ -76,9 +82,21 @@ SHELL_CMD_HANDLER("MGMT_QUID", "[ -d /opt/CPquid ] "
    "&& python3 /opt/CPquid/Quid_Api.py -i "
    "/opt/CPotelcol/quid_api/get_mgmt_quid.json | jq -r .message[0].MGMT_QUID || echo ''",
    getQUID)
+SHELL_CMD_HANDLER("MHO_QUID",
+    "[ -d /opt/CPquid ] && "
+    "python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_mho_quid.json 2>/dev/null | "
+    "jq -r '[.message[]? | select(.MHO_QUID != \"\") | .MHO_QUID] | join(\",\")' 2>/dev/null || "
+    "echo ''",
+    getQUIDList)
 SHELL_CMD_HANDLER("AIOPS_AGENT_ROLE", "[ -d /opt/CPOtlpAgent/custom_scripts ] "
    "&& ENV_NO_FORMAT=1 /opt/CPOtlpAgent/custom_scripts/agent_role.sh",
    getOtlpAgentGaiaOsRole)
+SHELL_CMD_HANDLER("AIOPS_CGNS_HW_TYPE", ""
+    "command -v dmidecode &>/dev/null && dmidecode -t 1 2>/dev/null",
+    getAiopCgnsHardwareType)
+SHELL_CMD_HANDLER("AIOPS_CGNS_CLOUD_VENDOR",
+    "cat /etc/cloud-version 2>/dev/null",
+    getAiopsCgnsCloudVendor)
 SHELL_CMD_HANDLER("ETH_MGMT_IP",
    "FS_PATH=<FILESYSTEM-PREFIX>;"
    "VS_ID=$(echo \"${FS_PATH}\" | grep -o -E \"vs[0-9]+\" | grep -o -E \"[0-9]+\");"
@@ -104,7 +122,12 @@ SHELL_CMD_HANDLER("MGMT_QUID", "echo ''", getQUID)
 SHELL_CMD_HANDLER("AIOPS_AGENT_ROLE", "echo 'SMB'", getOtlpAgentGaiaOsRole)
 #endif
 #if defined(gaia) || defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
-SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan)
+SHELL_CMD_HANDLER(
+    "hasSDWan",
+    "[ $(cpprod_util CPPROD_IsMgmtMachine) -eq 1 ] && echo '0' ||"
+    "([ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0')",
+    checkHasSDWan
+)
 SHELL_CMD_HANDLER(
    "canUpdateSDWanData",
    "jq -r .can_update_sdwan_data /tmp/cpsdwan_getdata_orch.json",
@@ -131,10 +154,11 @@ SHELL_CMD_HANDLER(
 )
 SHELL_CMD_HANDLER(
    "cpProductIntegrationMgmtParentObjectIP",
-    "obj=\"$(jq -r .cluster_name /tmp/cpsdwan_getdata_orch.json)\";"
+    "[ $(cpprod_util FwIsHighAvail) -eq 1 ] && "
+    "(obj=\"$(jq -r .cluster_name /tmp/cpsdwan_getdata_orch.json)\";"
    " awk -v obj=\"$obj\" '$1 == \":\" && $2 == \"(\" obj, $1 == \":ip_address\" { if ($1 == \":ip_address\")"
    " { gsub(/[()]/, \"\", $2); print $2; exit; } }'"
-    " $FWDIR/state/local/FW1/local.gateway_cluster",
+    " $FWDIR/state/local/FW1/local.gateway_cluster) || echo \"\"",
    getClusterObjectIP
 )
 SHELL_CMD_HANDLER(
@@ -146,7 +170,16 @@ SHELL_CMD_HANDLER("is_legacy_qos_blade_enabled",
    "cpprod_util CPPROD_GetValue FG1 ProdActive 1 | grep -q '^1$' "
    "&& (cpprod_util CPPROD_GetValue FG1 FgSDWAN 1 | grep -q '^1$' && echo false || echo true) || "
    "echo false",
-    checkQosLegacyBlade)
+    checkQosLegacyBlade
+)
+SHELL_CMD_HANDLER(
+    "IPv6 Address",
+    "( [ $(cpprod_util FwIsHighAvail) -eq 1 ] && [ $(cpprod_util FwIsVSX) -eq 1 ]"
+    "&& (jq -r .cluster_main_ipv6 /tmp/cpsdwan_getdata_orch.json) )"
+    "|| ( [ $(cpprod_util FWisDAG) -eq 1 ] && echo \"Dynamic Address\" )"
+    "|| (jq -r .main_ipv6 /tmp/cpsdwan_getdata_orch.json)",
+    getGWIPv6Address
+)
 #endif //gaia || smb

 #if defined(gaia)
@@ -154,6 +187,10 @@ SHELL_CMD_HANDLER("hasSAMLSupportedBlade", "enabled_blades", checkSAMLSupportedB
 SHELL_CMD_HANDLER("hasIDABlade", "enabled_blades", checkIDABlade)
 SHELL_CMD_HANDLER("hasVPNBlade", "enabled_blades", checkVPNBlade)
 SHELL_CMD_HANDLER("hasSAMLPortal", "mpclient status nac", checkSAMLPortal)
+SHELL_CMD_HANDLER("hasIdaPdpEnabled",
+    "cat $FWDIR/database/myself_objects.C | grep is_collecting_identities",
+    checkIdaPDP
+)
 SHELL_CMD_HANDLER("hasInfinityIdentityEnabled",
    "cat $FWDIR/database/myself_objects.C | grep get_identities_from_infinity_identity",
    checkInfinityIdentityEnabled
--- a/components/security_apps/orchestration/health_check/health_check.cc
+++ b/components/security_apps/orchestration/health_check/health_check.cc
@@ -154,7 +154,8 @@ private:
        static const map<string, pair<string, int>> ip_port_defaults_map = {
            {"Azure", make_pair(getenv("DOCKER_RPM_ENABLED") ? "" : "168.63.129.16", 8117)},
            {"Aws", make_pair("", 8117)},
-            {"Local", make_pair("", 8117)}
+            {"Local", make_pair("", 8117)},
+            {"VMware", make_pair("", 8117)}
        };

        auto cloud_vendor_maybe = getSetting<string>("reverseProxy", "cloudVendorName");
@@ -271,6 +272,12 @@ private:
            return HealthCheckStatus::UNHEALTHY;
        }

+        if (checkReadinessFilesExist()) {
+            dbgTrace(D_HEALTH_CHECK)
+                << "Readiness file exists, instance not ready for traffic, returning unhealthy status";
+            return HealthCheckStatus::UNHEALTHY;
+        }
+
        if (NGEN::Filesystem::exists(rpm_full_load_path)) {
            dbgTrace(D_HEALTH_CHECK) << "RPM is fully loaded";
            return i_service_controller->getServicesPolicyStatus()
@@ -289,6 +296,24 @@ private:
        return HealthCheckStatus::UNHEALTHY;
    }

+    bool
+    checkReadinessFilesExist()
+    {
+        string readiness_dir = readiness_file_path.substr(0, readiness_file_path.find_last_of('/'));
+        string readiness_filename = NGEN::Filesystem::getFileName(readiness_file_path);
+
+        auto directory_files = NGEN::Filesystem::getDirectoryFiles(readiness_dir);
+        if (!directory_files.ok()) return false;
+
+        for (const string& filename : directory_files.unpack()) {
+            if (NGEN::Strings::startsWith(filename, readiness_filename)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
    bool
    nginxContainerIsRunning()
    {
@@ -304,7 +329,19 @@ private:
            return false;
        }

-        return (*maybe_result).find(nginx_container_name) != string::npos;
+        bool container_running = (*maybe_result).find(nginx_container_name) != string::npos;
+        if (!container_running) {
+            dbgTrace(D_HEALTH_CHECK) << "Nginx container is not running";
+            return false;
+        }
+
+        if (checkReadinessFilesExist()) {
+            dbgTrace(D_HEALTH_CHECK) << "Readiness file exists on host machine, not ready for traffic";
+            return false;
+        }
+
+        dbgTrace(D_HEALTH_CHECK) << "Nginx container is running and no readiness files found - ready for traffic";
+        return true;
    }

    void
--- a/components/security_apps/orchestration/manifest_controller/manifest_diff_calculator.cc
+++ b/components/security_apps/orchestration/manifest_controller/manifest_diff_calculator.cc
@@ -158,6 +158,12 @@ ManifestDiffCalculator::buildInstallationQueue(
        installation_queue.push_back(orchestration_it->second);
    }

+    auto shared_libs_it = new_packages.find("sharedLibs");
+    if (shared_libs_it != new_packages.end()) {
+        installation_queue.push_back(shared_libs_it->second);
+    }
+
+
    auto wlp_standalone_it = new_packages.find("wlpStandalone");
    if (wlp_standalone_it != new_packages.end()){
        installation_queue.push_back(wlp_standalone_it->second);
--- a/components/security_apps/orchestration/orchestration_comp.cc
+++ b/components/security_apps/orchestration/orchestration_comp.cc
@@ -1535,6 +1535,11 @@ private:
        if (i_details_resolver->compareCheckpointVersion(8200, greater_equal<int>())) {
            agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER82", "true");
        }
+        if (i_details_resolver->compareCheckpointVersion(8200, equal_to<int>())) {
+            agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionR82", "true");
+        } else {
+            agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionR82", "false");
+        }
 #endif // gaia || smb

        if (agent_data_report == curr_agent_data_report) {
@@ -2278,4 +2283,4 @@ OrchestrationComp::preload()
    registerExpectedSetting<uint>("successUpgradeInterval");
    registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
    registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
-}
+}