Why wouldn't this be done for each HFA release?  As the steward of the source code, we're reliant on Check Point to provide the latest images unless Check Point provides a tool to custom bake the HFA's into a deployable image.  I'm not expecting Check Point to provide images for all patches, but I AM expecting to see images for each "Recommended" HFA.

And, from my lab, here are the **bleep** image sizes, the First being the image directly from Check Point, the second R81.20 Gateway only, not you managed by the multi-domain manager, all I did was update to the latest HFA (Take 41)

-rw-r----- 1 root kvm 4589092864 Jan 4 21:12 CheckPointR81-20-GW.qcow2
-rw-r----- 1 root kvm 15321792512 Jan 8 14:35 ncflabcpfw0002.qcow2

I know we provide Blink images that include the most recent recommended release: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20_Downloads.htm?tocpath=_____3
We also update the images in the public cloud providers (AWS, etc).
However, I believe we only distribute a qcow for the base version. 

Is the expectation then, that those of us doing Private Cloud infrastructure (VMWare or KVM) would have to figure out our own mechanism for keeping images current?  

For private cloud deployments I just can see that as feasible.

As things are now,  private cloud using KVM would require a base image deployment followed immediately by an HFA installation taking the time to deliver a new cluster from less than 1 minutes to 10-20 minutes, with the added bagging of the disk bloat from the upgrade process.

Am I missing something or is private cloud automation/deployment that much behind the public cloud provider process?

Personally, I noticed every image I deployed in the cloud ALWAYS contained whatever recommended jumbo was at the time of the installation...just my own experience.

Best,

Andy

@the_rock Are you deploying in Public Cloud or Private Cloud?  Based on my reading of this thread, the public cloud (AWS, Azure, GCP) get the HFAs rolled in, but not the private cloud (qcow2) images.

Mostly public, but only once in private and it had updated jumbo (maybe just luck, no clue lol)

Best,

Andy

I haven't asked, but that appears to be the case at present.
I see two places where you might have an issue with this process:

• Time to deploy. This, I believe, could be mitigated by creating your own image (take base image, apply JHF via CPUSE before you run First Time Wizard).
• Size of the resulting image. It's a bit bigger because it includes the CPUSE overhead, which wouldn't be there with a fresh install.

Will have to ask around and see if there's a better way to do this.

If you try to install a jumbo before completing the first-time wizard, CPUSE definitely complains at you. I'm not sure how safe an option that is.

Totally agree with that.

Has there been any feedback from the Check Point team on how this might be addressed?  I've raised the issue with my account team and they are as perplexed as I regarding not having "current" private cloud images available.

I'd image the images are generated programmatically, just add one more output of KVM to make available via Check Point download site.

Hope there are some discussions about this at CPX.

Definitely valid point you made @AlJo 

Best,

Andy