That's what we did for previous upgrades, but going through all of this seemed unnecessarily painfull.

Deploying a new SMS does come with the benefit of the new properly aligned disk layout though, so I'm still considering it.

ACK
Too soon for R82 😉

Way too soon 🙂

This time is different 😉

But seriously, with an EA that lasted nearly a year, it could be something to consider.

Obviously carefully considering all the factors!

I'm not sure why you're bringing R82 here.

AFAICT, Check Point has been really good with the quality of GA releases since R80.40, but I still wouldn't adopt it so soon without a very strong customer requirement to do so.

It probably wont be recommended until summer 2025...just my educated guess.

Andy

My wild guess is that very soon we will get first JHF for R82 and until CPX there will be JHF Take around 30 which will be consided as "stable" and thus R82 will be recommended during/after CPX 😉

R81.20 was released 21.11.2022 and marked as recommended 27.7.2023.

Lets see 😉

Andy

We got the notification our Smart-1 Cloud SMS is planned for upgrade in December. 

We will then be able to test management with R82 Take 0 if no JHF comes in and gets Recommended in such a short timeframe, let's hope it will sail smoothly. 😀

Yeah, on real hardware, this warning actually makes sense.
But on a VM running on hardware owned by Microsoft, there's no way Check Point will be able to flash its own firmware.
So it's going to tail, either smoothly or badly.

The lack of feedback here and from TAC seems to indicate not that many customers actually do in-place upgrades on Azure VMs... while it seems to be the currently recommended upgrade path.
I indeed did not know until recently this was even an option.

Keep in mind that up until one point in 2023, it was only possible to do in place upgrade on mgmt server in Azure, I believe, not gateways. Now, its possible on both, but I do agree with you, documentation about this could be better.

This is an official sk about it.

Andy

https://support.checkpoint.com/results/sk/sk177714

Andy...

This thread is specifically about upgrading mgmt and logs servers, and I mentionned sk177714 in the first two lines of my first post.
So, yeah, I'm keeping that in mind.

Fair enough. I used that same process few times and never had an issue. What did TAC say?

Nothing so far, they're still asking for unrelated logs instead of answering my very simple "is this a known issue?" question.
But the case has only been running for 5 days, lol.
I'll keep you updated next month. 😉

For what its worth, I will answer it myself, haha. No, I dont believe its a known issue, at least from my experience, but it would help to get an official statement from the vendor.

Yes, keep us posted mate 🙂

Andy

It's about 10 years since vSec/CloudGuard became available in Azure and upgrading has only been supported in the last couple.

Destroy and redeploy was repeated over and over...

It gets interesting when you compare management pricing for on-prem vs public cloud vs MaaS Smart-1 Cloud.

Apart from Regulations (restrictions) and log retention requirements it is easy to see the attraction to cloud (and maybe Smart-1 Cloud specifically, for management).

With no Regulatory requirements and budget for extra log retention Smart-1 Cloud looks attractive.

Painful to say that because I am old school and like physical on-prem.

"The Cloud" makes things more difficult way too often.

I guess like anything in life, we have to adapt 🙂

Andy

I also wonder about the number of SMS deployments in public cloud.

The 'Check Point Reference Architecture for Azure' SK does not actually state that the PAYG license is an SM25.

It does not seem to be documented anywhere.

I put some feedback in for the SK.

 https://support.checkpoint.com/results/sk/sk109360 

It seems like it would be documented if there were more enquiries and they needed to clarify in the SK.

Otherwise, we have to assume that there is a lot of BYOL or few deployments of SMS in Azure.

This customer moved its infrastructure from datacenters to Azure (for better or for worse).
I assume many went the same path, and indeed brought in their own license.

Every customer I know that did this went with BYOL approach.

Did you see Smart-1 Cloud adoption based on cost analysis?

Meaning that on-prem and BYOL was abandoned because of Smart-1 Cloud cost and MaaS benefits (no upgrade burdens and Support included in the price).

The Cloud First approach is common and now Smart-1 Cloud is recommended for CloudGuard SGs deployed in CSPs.

Obviously that is a general recommendation and customer owned management is still valid.

Personally, I always recommend S1C approach these days, because if for one important thing, if there is need for emergency change, anyone who has access can do it from anywhere in the world. But, you are 100% correct, customer owned management is still valid, but most things are shifting towards cloud-based approach and Im totally on board with that.

Andy

The illiterate of the 21st century will not be those who cannot read and write but those who cannot learn, unlearn and relearn. 

Ah...anyone can learn most things, as long as they put genuine effort into it. Just my honest opinion.

Andy

For this customer, Smart-1 Cloud had too many limitations by then (authentication, IA, too slow, ...)

I find its gotten way way better since 2020, when it was fairly new.

Andy

I only started using it like 2.5 years ago, but it's still much more painful to work with than a plain management.
I hate waiting for my logs to finally pop up there when I'm diagnosing some issue, vs almost real time on a real mgmt.
Many Check Point procedures still require local access to the management, and the need to go through TAC for this...
Effed up IP address reverse lookups also sucks.