This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nmelay2
Contributor
14 hours ago

Firmware update warning with R81.20 upgrade on Azure

Hi all,

I need to update a customer's Azure-hosted management and log servers from R81.10 to R81.20.
Following R81.20 documentation, I went the in-place upgrade path, as per sk177714.
(For some reason, the regular CPUSE upgrade packages do not show up on Azure VMs, and you need to use specific packages from this SK).
Everything looked fine but then Verify Update gave me a very confusing message:

Based on a system check, a firmware update may be necessary on one or more network cards to bring them up to date with the current Gaia network drivers. This update is a one-time process which could take several minutes, and is executed after Gaia OS upgrade is finished and has rebooted post-upgrade. After the firmware update is complete, the system will automatically reboot once more to apply the new firmware. Please do not reboot or shut the system down during this time.

The need for a firmware update on an Azure VM is rather unexpected.
However, I learned Azure VM do indeed run on hardware with Mellanox NICs, as do CP appliances, and part of the real NIC is actually exposed to the VM.
https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-how-it-works

Did you guys run into this?
Can we fearlessly go on with the upgrade in this situation?
I wouldn't want the upgrade process to fail trying to flash a new NIC firmware, and either just crash here or enter an endless reboot loop...

And before anyone asks, yes I'm also running this through TAC.
I'm just looking for insight from fellow admins with hands-on experience with this use case.

Preview file
30 KB
Preview file
45 KB
0 Kudos
10 Replies
Don_Paterson
Advisor
Advisor
14 hours ago

I haven't seen it, but am curious to know if you considered deploying a new R81.20 SMS (followed by an import)?

You would get the latest R81.20 marketplace image/template.

It is just out of curiosity that I ask, with no knowledge of the specific deployment or requirements, including logging, which may be one reason why you want to do the in-place upgrade.

Regards,

Don

 

0 Kudos
nmelay2
Contributor
14 hours ago
In response to Don_Paterson

That's what we did for previous upgrades, but going through all of this seemed unnecessarily painfull.

Deploying a new SMS does come with the benefit of the new properly aligned disk layout though, so I'm still considering it.

Don_Paterson
Advisor
Advisor
14 hours ago
In response to nmelay2

ACK
Too soon for R82 😉

(1)
the_rock
Legend
Legend
14 hours ago
In response to Don_Paterson

Way too soon 🙂

0 Kudos
Don_Paterson
Advisor
Advisor
14 hours ago
In response to the_rock

This time is different 😉

But seriously, with an EA that lasted nearly a year, it could be something to consider.

Obviously carefully considering all the factors!

0 Kudos
nmelay2
Contributor
13 hours ago
In response to Don_Paterson

I'm not sure why you're bringing R82 here.

AFAICT, Check Point has been really good with the quality of GA releases since R80.40, but I still wouldn't adopt it so soon without a very strong customer requirement to do so.

the_rock
Legend
Legend
13 hours ago
In response to nmelay2

It probably wont be recommended until summer 2025...just my educated guess.

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority
7 hours ago
In response to the_rock

My wild guess is that very soon we will get first JHF for R82 and until CPX there will be JHF Take around 30 which will be consided as "stable" and thus R82 will be recommended during/after CPX 😉

R81.20 was released 21.11.2022 and marked as recommended 27.7.2023.

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend
7 hours ago
In response to JozkoMrkvicka

Lets see 😉

Andy

0 Kudos
Don_Paterson
Advisor
Advisor
10 hours ago

Just in case it helps:

I see that someone else had this situation last year, but on physical appliances.

https://community.checkpoint.com/t5/Security-Gateways/Enterprise-appliance-upgrade-to-R81-20/m-p/190...

 

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events