cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Upgrade to R80.10 or R80.20

Hello!

Currently I am planing the overall upgrade of the customer's environment, as follows:

configuration right now:

- SMS: R77.30

- GWs:

   - R77.30 VSX-Cluster with about 4 virtual Firewalls (23500-Appliances), IPS/URLFilter/VPN/AntiBot/Identity Awareness /MobileAccess/Remote-VPN in place

   - 24 x 1450-Appliances (latest Software Release from July 2018)

My plan looks like this:

First, of course, I will upgrade the SMS, after this the VSX-GWs will be upgraded in about 2 month.

I am not sure, if i should upgrade the overall environment to R80.20 or is there a reason, why I should not do this now?

Is it better, to use R80.10 for now? Currently we do not have any performance-issues on the GWs.

Or is it a usable trade-off to install the SMS with R80.20 Mx and the VSX-GWs with R80.10?

After the upgrade my customer wants to use HTTPS-Interception for all the clients in combination with APP-Control.

What do you guys think about it?

Thank you Martin

10 Replies
Alex_Gilis
Silver

Re: Upgrade to R80.10 or R80.20

I use R80.10 and R80.20 without any issues, but the latest version that's officially recommended by Checkpoint is still R80.10.

Admin
Admin

Re: Upgrade to R80.10 or R80.20

That changed over the last week or so (specifically that R80.20 is recommended now).

Vladimir
Pearl

Re: Upgrade to R80.10 or R80.20

I'd suggest moving to R80.20 on both, management and the gateways..

In terms of VSX, you'll gain the 64 bit support for VS' that will allow better memory allocation.

If your client is looking to implement HTTPS inspection, this may come in handy.

Additionally, there is a much better implementation of the SaaS services objects, such as Office 365 as well as FQDN Domain objects.

I'd stay away from the M train, unless you have a solid justification for taking that route.

After M1, upgrade to GA required involvement of TAC for quite a while, although it may have changed since.

Staying on R77.30 on gateways longer than necessary will limit your available functionality and as a result you'll be using temporary workarounds instead of taking advantage of latest features.

In my experience, there are few things more permanent than "temporary solutions".

This being said, the R80.30, now in EA, adding quite a few new capabilities and addressing few shortcomings of previous releases, at least on paper.

If you are not in a particular hurry, I'd lab the EA and roll with it once it is in GA.

Regards,

Vladimir

Employee+
Employee+

Re: Upgrade to R80.10 or R80.20

Vladimir,

can yo elaborate on Mx releases? why we should stay away from them?

0 Kudos
Highlighted

Re: Upgrade to R80.10 or R80.20

Upgrade from M1 to GA was a bit of pain because Check Point tested a new upgrade approach there, which will be standard for all mgmt upgrades in the future.

As it had to be accompanied by TAC, it took quite a while.


This is not the case anymore, but anyway people are now in fear something similar (blocking) might occur again with the Mx releases.


I would go for Mx releases if the features introduced are helpful for you. Else go with GA.

0 Kudos
Employee+
Employee+

Re: Upgrade to R80.10 or R80.20

As far as I can remember upgrades always was a problem. During my experience I never allowed upgrades 3rd time. After 2 upgrades will be fresh install, no matter what, and import config after fresh install.

Alex

Sent securely from Check Point Capsule Workspace

0 Kudos
Vladimir
Pearl

Re: Upgrade to R80.10 or R80.20

Same reasons that Norbert Bohusch‌and Alessandro de Lima Marreiro‌ are referring to and what I have mentioned in my original post: You had to get TAC involved for the upgrade from the M1 version, there are little references to the compatibility or applicability of various solutions to the M releases as well.

Relatively small footprint of the M versions may also be a problem from the troubleshooting perspective, as there are bound to be some niche cases where the issues are specific to it, but are little known or not yet discovered.

0 Kudos
Employee+
Employee+

Re: Upgrade to R80.10 or R80.20

R80.20 with Jumbo Hotfix Accumulator will be the default one (widely recommended) for all deployments soon. We plan to communicate it in upcoming days.

Thanks

Gera 

Re: Upgrade to R80.10 or R80.20

I agree with Vladimir that suggested moving to R80.20 on both, management and the gateways. But you need to check your VPN mode IPSEC (Simplified x Traditional) and VPN ssl (unified x legacy mode). 

0 Kudos

Re: Upgrade to R80.10 or R80.20

Take a look on "Migrate to R80.20 TechTalk"

0 Kudos