Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Derek_Davenport
Participant
Jump to solution

When to upgrade?

I am really excited about R80.  I love the API.  I love the ability for multiple admins to work at the same time.  While I am very excited, I am scared to upgrade. 

I have upgraded a production backup in a test environment and it went fairly well.  It appears to work ok.

My question is...who has actually upgraded in production.  What issues are people running into running R80 management in production pushing to down version gateways?

If you have upgraded in production what issues have you had a high level? 

For a risk averse company, how long should we wait for the early adopters to find the majority of the problems? Smiley Happy

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Is R80 stable?

Several measures were taken to have R80 more stable than any major version that we've had before:

Prior to GA we accompanied over 150 customers with their transition to R80, and incorporated all of their feedback.

We changed the way we verify the quality of our daily builds. Automatic processes have been running after every feature change to R80 to check whether operations do not get affected, including: upgrades from R7x, install policy, multi-admins work, logs-to-policy-management integration, multi domain operations, HA synchronizations, objects creation and more.

We hope that the Upgrade Verification Service can assure your confidence in R80 over your environments.

Another thing worth noting is that R80 is a Management-only release, therefore Gateway operations do not get affected by this upgrade.

View solution in original post

0 Kudos
11 Replies
Sanjay_Bhandari
Explorer

I would wait a while till the first HFA arrives Smiley Happy

Derek_Davenport
Participant

Good idea

0 Kudos
Mondli_Maphumul
Explorer

i would also wait up until they have maybe R80.1 to fix issues that will creep up on R80.

SantiagoPlatero
Collaborator

Hi Derek, I've upgraded my production management as a part of the EA program and I've working with 3 pre-R80 gateways (2 R77.30 and1 R77.20) for almost two months.

As far for now I don't have any issues in the daily work basis. In fact I found some improvements for one gateway behind a slow MPLS link, when I've try to install policies with the R77.30 management sometimes the installation failed because of timeout issues. Nowadays I can assure that the installation times have improved and it didn't fails at all.

On the other hand we found some issues with the QoS blade, and the policy management for Mobile Access is quite awkward (it still uses the R77 dashboard).

TL;DR: I have R80 EA in production environment running for two months and in the overall I found more pros than cons.

Derek_Davenport
Participant

Great information.  I was curious if the delta like changes of R80 management was going to work with down level gateways.  Sounds like that is true.  That is almost worth upgrading right there!  Waiting 1-3 minutes for every policy push has been the bane of my existence for years!

Thanks for the input Santiago Platero​!

0 Kudos
SantiagoPlatero
Collaborator

Derek, beware: as far that the EA engineer that helped me with the upgrade told me the delta changes does not apply to Pre-R80 gateways. But we take the installation times with R77.30 and then we compare with R80 and we came down for like almost 1 minute faster with R80.

But keep in mind with R77.30 management the policy installation took more than 5 minutes to install. Yes, that crappy MPLS link also has been too the bane of my existence.

0 Kudos
Derek_Davenport
Participant

Thanks for the clarification.

0 Kudos
Tomer_Sole
Mentor
Mentor

Guys, indeed delta policy push can only happen if the GW has the code that support it, which means - an R80.10 GW.

However, policy push can be somewhat faster in R80 due to the initial phase of the Management server collecting the database faster than it was before, due to the stronger backend.

0 Kudos
Timothy_Hall
Champion
Champion

Your policy installation times for older R77.XX gateways almost certainly improved due to the fact that policy operations are now fully multithreaded on an R80 SMS as opposed to an R77 SMS, where all policy operations were single-threaded via the fwm process.  The number of cores on your SMS will dictate how much of a performance gain is achieved; I have personally seen a policy verify/compilation consume 400% of CPU (4 cores) on an R80 SMS while running top.  A very welcome improvement to be sure; policy deltas for R80.10 gateways should improve performance even more.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Tomer_Sole
Mentor
Mentor

Is R80 stable?

Several measures were taken to have R80 more stable than any major version that we've had before:

Prior to GA we accompanied over 150 customers with their transition to R80, and incorporated all of their feedback.

We changed the way we verify the quality of our daily builds. Automatic processes have been running after every feature change to R80 to check whether operations do not get affected, including: upgrades from R7x, install policy, multi-admins work, logs-to-policy-management integration, multi domain operations, HA synchronizations, objects creation and more.

We hope that the Upgrade Verification Service can assure your confidence in R80 over your environments.

Another thing worth noting is that R80 is a Management-only release, therefore Gateway operations do not get affected by this upgrade.

0 Kudos
Don_Paterson
Advisor

Hi Tomer,

Hows the uptake looking for R80.10 now?

The R80.10 ATC courses are very popular. I am running them in the UK. Feedback on the product is good and performance is good.

Is there a reference document doing a side-by-side R77.x to R80.x comparison?

Last question: Is there any news on creating Cluster Objects with API and is there a document of all/any other features not yet supported in the API?

https://community.checkpoint.com/message/10456-re-api-cluster-build?commentID=10456#comment-10456 

I have found the R80.x FAQ in here and that is good:

R80.x FAQ 

Regards,

Don

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events