Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Champion
Champion

R80.40 Addendum for "Max Power 2020" Now Available!

Hi Everyone,

At long last the R80.40 addendum for my book "Max Power 2020: Check Point Firewall Performance Optimization" is available for free download at http://www.maxpowerfirewalls.com.  30+ pages of updates for version R80.40, along with new tips and tricks for getting the most out of your firewall!

I'd like to thank Check Point R&D, @_Val_ , @PhoneBoy, and @Robert_Elliott for reviewing portions of the addendum to ensure accuracy and completeness.  Thanks and enjoy!

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
10 Replies
Highlighted

Hi @Timothy_Hall,

is a very helpful and interesting book. 👍
I can recommend it to everyone.

Thanks
Heiko

0 Kudos
Reply
Highlighted
Champion
Champion

Thanks for all your efforts keeping the book up-to-date. 👍

0 Kudos
Reply
Highlighted
Champion
Champion

The addendum has been out just 2 days and already needs an update, sigh...

Note that the long-term fix for the TLS parser being inappropriately invoked with certain blade combinations has just been fixed in R80.40 Jumbo HFA Take 78+; this was referenced in the update for p. 239 of the book in the addendum.  This fix is also going to be backported into R80.20 and R80.30 Jumbo HFAs as well.  It is always preferable to have this fix present if possible rather than manually tampering with the state of the TLS parser, as doing so can cause further problems.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Champion
Champion

Just an update from @Guy_Israeli, the license enforcement on open hardware for virtual cores with SMT enabled is not currently active, but will be enforced in the near future.  Note that this could lead to a situation where the extra cores created by enabling SMT on open hardware are initially allowed to be used, but then they suddenly aren't allowed after a code upgrade or Jumbo HFA application.

https://community.checkpoint.com/t5/VSX/R80-40-VSX-VSLS-JHF-Take-77-on-Openservers-has-Multi-Queue-a...

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Champion
Champion

License enforcement for SMT cores on open hardware is planned to resume in version R81.10:

https://community.checkpoint.com/t5/VSX/R80-40-VSX-VSLS-JHF-Take-77-on-Openservers-has-Multi-Queue-a...

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Champion
Champion

Update: the fix for the TLS parser issue mentioned in the p. 239 addendum note has been integrated into the R80.30 Jumbo HotFix - Ongoing Take 219 (13 September 2020) and Jumbo_Hotfix_Accumulator_for_R80.20 starting from take 183.   See sk166700: High CPU after upgrade from R77.x to R80.x when running only Firewall and Monitoring blade....

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Champion
Champion

p. 332: IPSec VPN traffic utilizing the SHA-384 algorithm can now be accelerated by SecureXL in R80.30 Jumbo HFA 221+.  See sk168336: VPN traffic (after encryption) is not visible via tcpdump and does not arrive at the remot...

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted

@Timothy_Hall 

Thanks for the ongoing effort and creating great materials.

Can't stress enough how necessary this book is if you are into Check Point.

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Reply
Highlighted
Champion
Champion

p. 221: If possible, do not set an R80.40's firewall’s management interface to a NIC that is carrying a heavy amount of production traffic to avoid possible frame loss (RX-DRP as shown by command netstat -ni) caused by the lack of Multi-Queue on that interface. If the management interface has been changed from a busy production interface and Multi-Queue is still not active on that busy interface (use the expert mode mq_mng –o –vv command to check this) see this SK: sk167200: Multi-queue state is "off" when changing the management interface.  It appears that the restriction blocking the activation Multi-Queue on the firewall's management interface has been lifted in R81.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Champion
Champion

Be aware that enabling "Wire Mode" will cause all VPN traffic to go F2F 100% of the time: https://community.checkpoint.com/t5/General-Topics/SecureXL-100-F2Fed-80-30/m-p/95704

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply