topic Re: Patching a Force 19000 security gateway in Firewall and Security Management

Patching a Force 19000 security gateway

Alex- — Wed, 26 Mar 2025 13:32:24 GMT

The new 19000 Quantum Force are shipped with R81.20 Build 722.

When trying to patch them to Take 98, the verifier discourages us to do so as it might lead to system instability unless we go first to Take 24.

R81.20 Take 24 is not compatible with R81.20 build 722.

sk180520 seems to point out that Take 65 is the minimum supported for 19K and 29K series, so that could be the verifier not taking the build and platform into account.

Our understanding that we should patch to Take 65 then Take 98, but we have an SR open being checked internally to clear up any doubt and proceed the right way. The verifier specially states Take 24, not Take 24 or above.

For information for anyone facing the same scenario, or who already successfully upgraded these devices and could confirm.

Re: Patching a Force 19000 security gateway

Timothy_Hall — Thu, 27 Mar 2025 02:52:35 GMT

You will need to wait for resolution for your SR. There were a variety of problems with R81.20 Jumbo HFA Take 96/98 and Quantum Force appliances (9000/19000/29000) due to the fact they utilize UPPAK: sk183181: SecureXL in the User Mode (UPPAK) may have compatibility issues with R81.20 Jumbo Hotfix Take 96 and Take 98

Re: Patching a Force 19000 security gateway

the_rock — Thu, 27 Mar 2025 02:59:18 GMT

We had couple cases recently about VPN issues after jumbo 89 and 92 install and TAC recommended take 99, though not recommended, but appears lots of issues resolved in it. If you try verify jumbo 99, does it complain?

Andy

Re: Patching a Force 19000 security gateway

Alex- — Thu, 27 Mar 2025 09:52:58 GMT

@the_rock @Timothy_Hall

I will wait for TAC to confirm the approach for stability and performance. These are Maestro appliances and run KPPAK out of the box.

Re: Patching a Force 19000 security gateway

the_rock — Thu, 27 Mar 2025 10:54:21 GMT

Good idea @Alex-

Re: Patching a Force 19000 security gateway

Timothy_Hall — Thu, 27 Mar 2025 12:14:11 GMT

Ah Maestro would explain why these gateways are still in KPPAK mode although Maestro appliances are supposed to support UPPAK & Lightspeed cards starting in R81.20 Jumbo HFA 89+ and in R82+.

Re: Patching a Force 19000 security gateway

emmap — Fri, 28 Mar 2025 03:32:42 GMT

The issue referred to by the verifier only occurs if you uninstall the JHF. If you're not planning on uninstalling it, you can ignore the warning. There is more information in the 'Important Notes' part of the JHF documentation.

Take 99 resolves the main issues with take 98 on Maestro as far as I know so it's probably better to go straight to that one.

Re: Patching a Force 19000 security gateway

AkosBakos — Fri, 28 Mar 2025 12:30:57 GMT

We have MAESTRO with R81.20 take 98 and a portfix on the top. (fw1_wrapper_HOTFIX_R81_20_JHF_T98_249_MAIN_GA_FULL.tar)

Re: Patching a Force 19000 security gateway

Alex- — Wed, 16 Apr 2025 15:38:31 GMT

The SR is still being investigated but that Security Group needs to go online so I went again through eh SK and did the following:

- Upgrade SG members to Take 65: No warnings, success

- Upgrade SG members to Take 99: No warnings, success

The SG is now back online, still in KPPAK. SK179432 explains KPPAK is the default mode with SG19200 in Maestro, so this needs to be changed manually. Since this is VSX on top and a rather complex deployment, I'd believe keeping the default KPPAK would be the safe option now, unless there are compelling arguments to enable UPPAK before this system goes live this week.

UPPAK still has some limitations also, which could be relevant in this deployment.

Re: Patching a Force 19000 security gateway

Jan_Kleinhans — Wed, 16 Apr 2025 13:35:40 GMT

We have many issues with UPPAK and VSX on 19200 (without Maestro). At the moment we are running in KPPAK. TAC cases are open since months. RnD is searching for solutions. I would recomend staying at KPPAK for the moment.

Re: Patching a Force 19000 security gateway

Alex- — Wed, 16 Apr 2025 13:51:28 GMT

That was our perspective as well, thanks for sharing your insights.

Re: Patching a Force 19000 security gateway

Alex- — Tue, 29 Apr 2025 17:13:38 GMT

19200 Maestro with R81.20 Build 722:

--> Patch to Take 65

--> Patch to Take 99

Security groups work. I've noticed other attention points which will be shared in dedicated posts.