It all depends on how many gateways/clusters you are responsible for and if you specifically need the "feature to be fixed" which was solved in the latest Take.

In my organization, we need to ensure that we have exactly the same version/Jumbo/hotfixes on all FWs. Once we hit the bug which is fixed in newer Take as we are using, we will do deep-dive testing of this Take in LAB environment. On the other hand, we are using many custom hotfixes, which must be compatible with the desired Take. So we simply cannot upgrade to the newer version, if we don't have a custom hotfix available for this new Take/version.

God (Check Point) bless that 90% of our custom hotfixes are included in pure R80.30 ISO, or in Jumbo.

At this moment, we are still running R77.30 with Jumbo Take 317 and custom hotfixes, as this setup is pretty stable without any major issues.
I am really looking forward to upgrading from R77.30 to R80.30 and see how new bugs we will hit:)

I have two customers on R80.30 (kernel 2.6 each, tho), with VPN bugginess to AWS and Azure (third-party VPN, not CloudGuard).  All is well until a new policy install; then the VPN generally dies out and either has to be cleared with "vpn tu" or just wait very patiently for some time.   Warning. 🙂

I'm going to test R80.30 JHF 50 soon-ish on them, to see if that helps, but no JHF release notes reference this sort of VPN stability, so I'm not optimistic.  I've reported the bug to my SE.  After JHF 50, I'll open a TAC case and send them the customary VPN debug and fw kdebug.

As mentioned in many replies - it really depends on your environment: how many gateways, how sensitive is the business to possible issues post upgrade, resource and time limitations etc etc

We tend to stay away from bleeding edge unless we are forced to (one example was getting 64bit VS support)

Recently we had our user group meeting in Sweden and Dorit came out and we talked about the possible approaches and somewhat majority agreed that for a super stable platform you probably want to aim for a major release with minimum of four or five GA JHFs released on top.

For example R80.30 has only two GA JHFs at the moment so for us it would be "no go" in normal circumstances, therefore R80.20 with all GA JHFs is our current "recommendation" in production.

It's a complex question and I fully understand those with conservative approach - quite often you need to deliver 99.9999% uptime which is easily compromised with early SW versions. Yet it can be equally important to deploy a certain feature that only available in the newest major release.

As a general rule, I try to cycle through our edge gateways twice a year if updates are in place that need to be taken.

Internal gateways - once a year. 

Unless something really bad comes around or we need to take a patch to fix an issue we're having.

Hi Checkmates,

I have been eager to follow this thread to hear what you perception are on how often you patch/upgrade your gateways.

For my situation I am running R80.20 due to AC on EA code atHQ (soon to be R80.40 EA) but on branch offices R80.30 latest GA take unless on site with were I have some problems access the gateway cluster from a non-local subnet and I had to deploy R80.30 ongoing take 72 before it was solved. 

Generally I am following the GA take on the existing platform version.

I do have a question and I try to be humble in my question. I know many of you are very experienced in the field.
I read in this thread that many are still on R77.30 running with a GA take. Were did this very conservative approach comes from? 

• Is it because of a special sector Eg. Finance or Energy Sector? 
• Running a special version or setup? MDM or SMS?
• Documentation and keep track of change management?
• Lack of training and/or understanding on how the new version work? 
• Some old book telling how to run system like this?
• If we just have IPS and AB thats enough then the gateways are more or less the same. What about the Gen 5-6 firewalls concept from Check Point. Running IPS and AB is as I recall less Gen 3-4?
• What about the money the customer put in the securing their networks do you pay a lot of money to still be on the same platform level with less than 1 update per year?

I just cannot understand why. I have been in EA since R80.10 and soon to be running R80.40 EA. Lastest recommended R80 gaia version is R80.30. How can it be that you are still running R77.30? 

I made this jump from R77.30 for 4 years ago and I can only be satisfied and happy running the R80.30 at the moment.
I don't want to go back to any earlier version and I would say I am seeing much faster and stable gateways running R80.30 then the R77.30 version.

Just thought of reflection and I would like to hear your replies on this.

All the best 

A similar thread was already opened to discuss the topic of upgrading from R77.30 to R80.x.