Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

R80.30 Vs R80.40 on MDS

Hello

 

What's the recommendation on R80.30 vs 80.40 on MDS?

Featurewise, i would like to go to R80.40 especially for revert to revision. 

In the current environment we have R80.20 with the latest take. 

Any stability issue or any known hurdles upgrading from R80.20 to R80.40?

 

 

Regards

Alex

0 Kudos
8 Replies
Highlighted

Re: R80.30 Vs R80.40 on MDS

R80.40 is GA but has not been declared the "default recommended release" as of now, also there is no GA Jumbo HFA for R80.40 yet although there is an ongoing take.  That being said assuming you take a snapshot first, upgrading your SMS to a new release like R80.40 is fairly low risk.  Make sure your current R80.20 SMS is using the XFS filesystem (mount command) and if it is go ahead and upgrade to R80.40 in place.  If it is still using ext3 filesystems a migrate export with the R80.40 tools, fresh reload of your SMS to R80.40, and migrate import is strongly recommended to pick up the performance benefits of the XFS filesystem.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Pearl

Re: R80.30 Vs R80.40 on MDS

Tim,

I think the question is specific to MDS. In which case, even knowing that 80.40 is a fresh release (and not having first-hand experience running MDS on it), I would still chose to go with it. Specifically, because of domain portability and versioning control capabilities.

0 Kudos
Highlighted

Re: R80.30 Vs R80.40 on MDS

I've been running a MDS (single domain) since it was GA, I needed to install the ongoing Jumbo, as I ran into a Policy install issue that was solved in the jumbo.
That said, there are very little problems I have seen so far with R80.40, I have a Global Policy which also works fine.
Next to that you can always use this method to setup a R80.40 MDS
Create a new VM
Install R80.40 on it
run mdsstop on old MDS and change the IP to a free IP in the same network
Run the export on the old MDS
In the mean time set the new MDS to the original IP of the old MDS
Run the FTW and setup the MDS
Move the export file from old to new MDS
Import the R80.20 MDS export file
Run mdsstart on new MDS.
Regards, Maarten
Highlighted
Nickel

Re: R80.30 Vs R80.40 on MDS

Thanks for the feedback.
I am thinking just doing the in-place upgrade, which upload the .tgz and apply the upgrade/update as per checkpoint wizard.

Apart from policy install issue, is there any other major issue?

Alex
0 Kudos
Highlighted

Re: R80.30 Vs R80.40 on MDS

None that I have run into.

Did you do a clean install on the R80.20? If not you will be missing out on the new Filesystem, you can check the filesystem by:
[Expert@CPMDS-025:0]# df -hT
Filesystem                                         Type   Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current  xfs     250G  11G  240G 5% /
/dev/sda1                                            ext3  291M 27M 249M 10% /boot
tmpfs                                                   tmpfs 32G 4.4M  3 2G 1% /dev/shm
/dev/mapper/vg_splat-lv_log          xfs      3.4T 6.8G   3.4T 1% /var/log
[Expert@CPMDS-025:0]# fw ver
This is Check Point's software version R80.40 - Build 038

Regards, Maarten
0 Kudos
Highlighted
Nickel

Re: R80.30 Vs R80.40 on MDS

yes,
clean install R80.20 more than a year now 🙂
0 Kudos
Highlighted
Nickel

Re: R80.30 Vs R80.40 on MDS

Yep its about MDS. Regardless, R80.40 is official release, its no longer GA.
I have been missing the versioning control ^^
feel like can't live without it 🙂
0 Kudos
Highlighted

Re: R80.30 Vs R80.40 on MDS

When it comes to 

Revert to Revision

The Security Management Server architecture supports built-in revisions. Each publish operation saves a new revision that contains only the delta from the previous revision allowing:

  • Safe recovery from a crisis, restore a Domain or a Management Server to a good known revision.
  • Improved policy verification process based on the difference between the current policy and the one contained in the revision database.

 

 

is this supported when running vsx within a MDS?

if so does it include changes made on routing, interfaces etc aswell?

0 Kudos