cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Are you in an R77.30 Upgrade Rush?

A few months ago, the vast majority of Check Point firewalls out there were still running R77.30*. As the time progressed, we slowly saw people upgrading their firewalls to R80.10 and later. However, in the month of August, we saw a massive acceleration in upgrades**, in anticipation of the End of Support for R77.30 in September.

This raised a few questions:

1. Why are so many people waiting for the last minute to upgrade? Some may even go beyond the Sep 30th date.

2. What can be done to avoid this from happening again in the future?

 

---------------------------------

* Our data comes from Indeni Insight, which receives non-confidential data about the devices in use by our customers. These are mostly large enterprises in North America, with deployments of at least 100 firewalls.

** Massive acceleration: 40% of all upgrades to R80.20, up to Aug 15 2019, occurred in the first two weeks of August. Again, this is based on just our data.

CEO & Founder, Indeni
18 Replies
JozkoMrkvicka
Platinum

Re: Are you in an R77.30 Upgrade Rush?

No rush, as CP is not able to release R80.x version which is bug free. In my company, we have started with testing R80.x releases around 5 months ago. None of upgrade/fresh installation went without issues. Around 20 cases were opened so far, most of them closed as "will be solved in next release" 🙂

So we will run on beloved and super stable R77.30 with extended support from CP till testing of R80.x isnt without issues on our end.

PS: Eagerly waiting for R80.40 EA and FINALLY official support for cluster manipulation over API...

 

Kind regards,
Jozko Mrkvicka

Re: Are you in an R77.30 Upgrade Rush?

@JozkoMrkvicka which version you are talking about, specifically? This sounds like R80.20. Quite _a_few_ issues are actually resolved in R80.30, which had recommended status now

0 Kudos
JozkoMrkvicka
Platinum

Re: Are you in an R77.30 Upgrade Rush?

Yep, we were heavily testing R80.20 and after all the issues we faced, we were advised to wait till R80.30 is GA 😛
Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Are you in an R77.30 Upgrade Rush?

One of the things we did, we run the management for around 150 customers in our environment, we did setup a R80.10 management server about 1 year ago. This had multiple reasons, getting our engineer acquainted with the new interface and way of working, besides that we had some customers that really wanted to move forward with R80.x and lately we had a number of appliances (6x00) that did not support R77 anymore.
Now we are planning the migration of the rest in 1 big bang migration.
However that is so far only management, them we still need to do a migration of around 250 gateways, where possible. Pretty sure this will take many more months.
Regards, Maarten
0 Kudos

Re: Are you in an R77.30 Upgrade Rush?

Ohh y the way, we have a number of customers that we cannot migrate yet as they have local log servers in use. (Log server defined within the domain)
This is currently still not supported. Needed to move 5 Domains onto a separate MDS server to be able to migrate the rest.
Regards, Maarten
0 Kudos
JozkoMrkvicka
Platinum

Re: Are you in an R77.30 Upgrade Rush?

AFAIK, R80.20 and R80.30 are capable to handle logservers within CMAs.
Kind regards,
Jozko Mrkvicka
0 Kudos
Nemz
Ivory

Re: Are you in an R77.30 Upgrade Rush?

Is Checkpoint extending support past 9/30/19???  I keep asking, but no real answers.. 

0 Kudos
Employee+
Employee+

Re: Are you in an R77.30 Upgrade Rush?

We have extended support to specific use cases and customers where this is required (one valid example exist on this thread) 

The general end of support is Sep 2019. 

 

0 Kudos

Re: Are you in an R77.30 Upgrade Rush?

the pre-Upgrade verifier will tell you this:
Log Servers on Domain Management Server level are not yet supported in R80.30. We aim to support this feature soon. See sk117159 for details.
Regards, Maarten
0 Kudos
JozkoMrkvicka
Platinum

Re: Are you in an R77.30 Upgrade Rush?

I am sure I have created Log Servers within freshly installed R80.20 in the past ...
Are you using Multi-Domain Management where you have logserver for CMAs ?
Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Are you in an R77.30 Upgrade Rush?

Upgrade of appliancies on small deployments went fine to upgrade to r80.20 with CDT, but on critical systems, which are on open servers we failed to upgrade (gateways,VSX) without issues and had to roll back.

0 Kudos
Employee+
Employee+

Re: Are you in an R77.30 Upgrade Rush?

1. Open servers are better served w R80.30 plus 3.10 linux where we have jumbo support across both linux kernels. You are welcome to try it as its much more mature. 

2. To the log server message...  there is indeed missing item  called dedicated log server (Pre upgrade verifier detect it)  and is specific scenario used by small but important part of the install base  - its in development and should be released this year. We are in communication with those customers that are waiting for this and they have received extended support. 

0 Kudos

Re: Are you in an R77.30 Upgrade Rush?

Artur and Alexander from TAC are aware of my situation and I have for now choosen to upgarde all I can, meaning I had to move the customers with a logserver within their CMA to another MDS setup specifically for this so I can work it out in a later stage.
@JozkoMrkvicka We ran into this issue and no you just cannot upgrade the CMA when a logserver is part of the CMA.
Regards, Maarten
0 Kudos
Employee+
Employee+

Re: Are you in an R77.30 Upgrade Rush?

Indeed.

You can see it working in your lab next month. It will be released in Q4 2019. 

If needed we will extend support in such cases but to put this into proportion, this is small part of our customers. 

0 Kudos
JozkoMrkvicka
Platinum

Re: Are you in an R77.30 Upgrade Rush?

Yep, I just tried it and you were right:image.png

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Are you in an R77.30 Upgrade Rush?

We have plenty of dell r730(xd) servers, which are not supported officialy with 3.10 kernel. New 3.10 kernel applies only for r740.
0 Kudos
Nemz
Ivory

Re: Are you in an R77.30 Upgrade Rush?

Will Checkpoint be offering extended support for us customers having problems upgrading?

0 Kudos
Employee+
Employee+

Re: Are you in an R77.30 Upgrade Rush?

If you have concrete problems, work w the support team on realistic plan and you will be supported all thru implementation plan (and yes, if it means extended support).