Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Best practise - How often do you patch/upgrade your gateways?

Do you patch your gateways always to latest take, when it's announced? 

Do you upgrade your gateways whenever it's possible to latest recommended OS versions?

 

I'm interested to know how other companies handle this. We usually patch systems to latest takes, only when we have issues, which can be addresses by applying new HFA.

13 Replies
Highlighted
Sapphire

CheckPoint suggests to install the latest Jumbo General Availability Take - i would call that good advice. If issues occur, you may consider the latest ongoing take if it fixes them.

0 Kudos
Highlighted

Generally I have no problem with installing GA Jumbo HFA's proactively, as long as they have been available for at least 2 weeks.  In my opinion ongoing takes are to be avoided unless you desperately need a certain fix that is otherwise not available in a GA take.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

@Maarten_Sjouw  @JozkoMrkvicka @Kaspars_Zibarts any feedback on this guys?

0 Kudos
Highlighted
Platinum

It all depends on how many gateways/clusters you are responsible for and if you specifically need the "feature to be fixed" which was solved in the latest Take.

In my organization, we need to ensure that we have exactly the same version/Jumbo/hotfixes on all FWs. Once we hit the bug which is fixed in newer Take as we are using, we will do deep-dive testing of this Take in LAB environment. On the other hand, we are using many custom hotfixes, which must be compatible with the desired Take. So we simply cannot upgrade to the newer version, if we don't have a custom hotfix available for this new Take/version.

God (Check Point) bless that 90% of our custom hotfixes are included in pure R80.30 ISO, or in Jumbo.

At this moment, we are still running R77.30 with Jumbo Take 317 and custom hotfixes, as this setup is pretty stable without any major issues.
I am really looking forward to upgrading from R77.30 to R80.30 and see how new bugs we will hit:)

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted

Indeed numbers do make a difference, we run an mix of R77.30 / R80.10 / R80.20 and even R80.30 gateways, totaling around 400 units for 150 customers. If we were to keep up with all jumbo's, there would be a need to double the team of 6 taking care of those 400 gateways.
When we install or upgrade a box the latest available GA jumbo will be installed, there will be no time available for installing jumbo's on each gateway when it becomes available. We do however install them when we run into issues with a customer and see the solution being presented in the jumbo.
Regards, Maarten
Highlighted
Nickel

I have two customers on R80.30 (kernel 2.6 each, tho), with VPN bugginess to AWS and Azure (third-party VPN, not CloudGuard).  All is well until a new policy install; then the VPN generally dies out and either has to be cleared with "vpn tu" or just wait very patiently for some time.   Warning. 🙂

 

I'm going to test R80.30 JHF 50 soon-ish on them, to see if that helps, but no JHF release notes reference this sort of VPN stability, so I'm not optimistic.  I've reported the bug to my SE.  After JHF 50, I'll open a TAC case and send them the customary VPN debug and fw kdebug.

 

0 Kudos
Highlighted
Ivory

Hello,

Take 50 does not fix that issue. Tested yesterday with Cisco in Azure.

Kind Regards
Chris

0 Kudos
Highlighted

As mentioned in many replies - it really depends on your environment: how many gateways, how sensitive is the business to possible issues post upgrade, resource and time limitations etc etc

We tend to stay away from bleeding edge unless we are forced to (one example was getting 64bit VS support)

Recently we had our user group meeting in Sweden and Dorit came out and we talked about the possible approaches and somewhat majority agreed that for a super stable platform you probably want to aim for a major release with minimum of four or five GA JHFs released on top.

For example R80.30 has only two GA JHFs at the moment so for us it would be "no go" in normal circumstances, therefore R80.20 with all GA JHFs is our current "recommendation" in production.

It's a complex question and I fully understand those with conservative approach - quite often you need to deliver 99.9999% uptime which is easily compromised with early SW versions. Yet it can be equally important to deploy a certain feature that only available in the newest major release.

0 Kudos
Highlighted
Silver

Generally speaking that is how tend to patch upgrade.

Either having an issue that fixed in a Jumbo, or contains a patch for a vulnerability that been found.

 

When deploying we will deploy the current GA Jumbo.

 

Only deploy an ongoing take if specifically recommended by TAC.

 

0 Kudos
Highlighted

As a general rule, I try to cycle through our edge gateways twice a year if updates are in place that need to be taken.

Internal gateways - once a year. 

Unless something really bad comes around or we need to take a patch to fix an issue we're having.

0 Kudos
Highlighted
Gold

Martin,

normally we patch if a Jumbo is available more then 2 month. If a known problem solved or are there any security fixes needed we update immediately.

But we had some customers they need more attention. For these customers a stable system is more important then an actual patchlevel. They install Jumbos only if more then 6 month  available and if they solve any known problem. And like Jozko wrote after tests in a lab environment.

Wolfgang

 

Highlighted
Silver

Hi Checkmates,

I have been eager to follow this thread to hear what you perception are on how often you patch/upgrade your gateways.

For my situation I am running R80.20 due to AC on EA code atHQ (soon to be R80.40 EA) but on branch offices R80.30 latest GA take unless on site with were I have some problems access the gateway cluster from a non-local subnet and I had to deploy R80.30 ongoing take 72 before it was solved. 

Generally I am following the GA take on the existing platform version.

I do have a question and I try to be humble in my question. I know many of you are very experienced in the field.
I read in this thread that many are still on R77.30 running with a GA take. Were did this very conservative approach comes from? 

  • Is it because of a special sector Eg. Finance or Energy Sector? 
  • Running a special version or setup? MDM or SMS?
  • Documentation and keep track of change management?
  • Lack of training and/or understanding on how the new version work? 
  • Some old book telling how to run system like this?
  • If we just have IPS and AB thats enough then the gateways are more or less the same. What about the Gen 5-6 firewalls concept from Check Point. Running IPS and AB is as I recall less Gen 3-4?
  • What about the money the customer put in the securing their networks do you pay a lot of money to still be on the same platform level with less than 1 update per year?


I just cannot understand why. I have been in EA since R80.10 and soon to be running R80.40 EA. Lastest recommended R80 gaia version is R80.30. How can it be that you are still running R77.30? 

I made this jump from R77.30 for 4 years ago and I can only be satisfied and happy running the R80.30 at the moment.
I don't want to go back to any earlier version and I would say I am seeing much faster and stable gateways running R80.30 then the R77.30 version.

Just thought of reflection and I would like to hear your replies on this.

All the best 

 

Best Regards
Kim
0 Kudos
Highlighted
Platinum

0 Kudos