cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Re: Check Point R80.20 Now GA

Great 

Re: Check Point R80.20 Now GA

What kind of version is R80.20SP ?

EDIT: Was mentioned in this thread by Maor Elharar‌ ... R80.20 for Scalable Platform

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Check Point R80.20 Now GA

SP means "Scalable Platform", which refers to 41/61k and 44/64k chassis based systems.

Current SP release is R76SP.50 because the branch was forked from R76 release and then developed in parallel.

R76SP.50 had already some features which didn't make it in R77.30/R80.10 maintrain, but on the other hand was missing others. With R80.20SP as far as I heard Check Point wants to close the gaps Smiley Happy

0 Kudos

Re: Check Point R80.20 Now GA

Is there a rough ETA on R80.20SP?

Highlighted
Employee
Employee

Re: Check Point R80.20 Now GA

Hi Andreas,

You can found some ETA hereWill SP code ever get migrated into main R80.x code train? 

If you are interested in R80.20SP EA (R80.20 for Scalable Platform) program you can contact Maor Elharar (maor@checkpoint.com )

Re: Check Point R80.20 Now GA

will the first release of R80.20SP support VSX? or is that going to be added later? 

0 Kudos
Employee
Employee

Re: Check Point R80.20 Now GA

Yes, VSX will be support on the first release of R80.20SP.

0 Kudos

Re: Check Point R80.20 Now GA

After playing around with R80.20GA gateway for a few hours, the following things caught my eye:

1) Gaia is now required to be 64-bit.

2) Geo Protection can now be directly configured in a whitelist configuration (allow some countries and deny all others).

3) R80.20 gateway ClusterXL does not support Load Sharing (Active/Active) yet?  Not a huge fan of load sharing to begin with but this is taking it to another level...  🙂

4) R80.20 gateways cannot be managed by an R80.20M1 SMS.

5) cphaprob state command now reports *far* more detail about ClusterXL state, including why the current member is active, last state transition & failover count, and active pnote problems.  This extra information appears to be available separately via the new cphaprob show_failover command.

6) cphaconf set_ccp has two new options: auto and unicast  (the latter only works with a 2-member cluster); used to just be broadcast and multicast.

7) Syn Attack (Syn Flood) protection is now implemented in SecureXL and will not cause all traffic handled by it to go F2F.  Just mentioned this limitation in my TechTalk this week, quite ironic...

😎 The undocumented ability for certain ports to be bypassed in the Dynamic Dispatcher mentioned on p. 245 of my book appears to be officially supported via the fw ctl multik add_bypass_port command among others.

9) The new fw ctl multik get_instance command can be used to identify which Firewall Worker core is handling a connection with the matching attributes specified on the command line.

10) The new fw ctl multik print_heavy _conn command will show the attributes of all "heavy" (elephant flow) connections currently pounding the Firewall Worker cores.

11) The new fw ctl multik utilize command will show the size & utilization of the Firewall Worker packet queues.

12) Many new screens added to cpview including Dynamic Routing Stats (routed), Hardware Health & Sensors, Disk I/O utilization, and Advanced...CPAQ.

13) Apparently fw monitor can now capture all traffic traversing the firewall regardless of whether it is accelerated by SecureXL.  Haven't had a chance to verify this myself yet.

14) The long-awaited Network defined by routes antispoofing topology option checks the gateway routing table every second for any route changes that might impact antispoofing enforcement, the timer controlling this interval is located in the SmartConsole under Manage & Settings...Preferences.

15) I don't see the option to define VPN domains per VPN Community, at least not in the SmartConsole.

16) Ensuring that "Font Smoothing" is enabled in your RDP client substantially improves the graphical performance of the SmartConsole inside an RDP Session.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Check Point R80.20 Now GA

Regarding Load Sharing (Active/Active) configuration - This morning I managed this configuration. At list in my Lab, it works fine Smiley Happy

Load Sharing Multicast

0 Kudos

Re: Check Point R80.20 Now GA

Concerning Load Sharing here is the Known Limitation from sk122486: R80.20 GA and R80.20 Management Feature Release Known Limitations

MB-30

R80.20 ClusterXL does not support Load Sharing mode. Therefore, R80.20 SmartConsole blocks such configuration with a warning message.

This limitation is planned to be resolved during H1 2019.

R80.

Curious that you were able to configure it, but just because you were able to do so doesn't mean it is a supported configuration based on the above.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Check Point R80.20 Now GA

You can configure load sharing with R80.20 SmartConsole for clusters that aren't in version R80.20. 

Do you think we should rephrase the sentence at Known Limitations?

0 Kudos

Re: Check Point R80.20 Now GA

Yes, perhaps clarify that R80.20 *gateway* does not support ClusterXL Load Sharing.  It was clear to me that the R80.20 SmartConsole can still configure it for older gateway objects though.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Employee
Employee

Re: Check Point R80.20 Now GA

(1) If the version of the ClusterXL object is R80.20, then SmartConsole will not let you configure the LS mode.

You will get an explicit pop-up that says so.

(2) Is this text not clear enough "R80.20 ClusterXL does not support Load Sharing mode. Therefore, R80.20 SmartConsole blocks such configuration with a warning message." ?

Re: Check Point R80.20 Now GA

Thanks for your feedback!

I like the fact that you point out the features that matter to you. To me this sometimes means more than your impressions on the features themselves. 

We are also interested with feedback on: configuring countries and cloud servers in your security policy; changing the IPS workflow with gateways fetching updates independently, automatically preventing, while still managing the protection state and follow-up flags through SmartConsole; scheduling policy installations with  Multi-Domain Security Management; and configuring malicious email policy with the Threat Prevention Profiles. 

Maybe with a thread per feature.

Indeed, font smoothing works wonders with R80 SmartConsole and above [https://community.checkpoint.com/thread/6950-how-to-make-smartconsole-look-good-even-with-terminal-s... ]

And we hear your feedback at VPN domains per VPN community, loud and clear Smiley Happy

Re: Check Point R80.20 Now GA

The fw monitor improvement sounds very good as I always forget fwaccel off prior to fw monitor

and now to something completely different
0 Kudos
RickHoppe
Silver

Re: Check Point R80.20 Now GA

If you look at it this way...other people forget to turn it back on after a troubleshoot session.


Blog: https://checkpoint.engineer

Re: Check Point R80.20 Now GA

Just discovered that build version of Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent on R80.20 GA has been updated to the 1573, despite it isnt available for download (according SK, the latest version is 1567).

In addition, the download link isnt working anymore ?

The file you were trying to load could not be found or has been deleted. 

CPinfo utility on R80.20 GA is the same version (182) as on R80.10 or R77.30. No changes there.

Kind regards,
Jozko Mrkvicka
0 Kudos
Employee+
Employee+

Re: Check Point R80.20 Now GA

You are correct, we had an issue with the SK, and it is now fixed. The latest CPUSE deployment agent is 1573 and now it can be downloaded from the SK.

Thanks! 

Employee+
Employee+

Re: Check Point R80.20 Now GA

Few answers

1. R80.20SP is in EA - ready for production. You are welcome to join. GA in Q4 and more EAs will help release faster

2. New kernel:

A. Integrated in the GA for user space (cpuse pkg for mgmt is part of the GA)

B. Kernel (mgmt+gw) requires different software variant for now. Its already in EA for cloud and open server. Join the EA if you want to run it in production now and on the way, learn more and contribute feedback. 

3. Upgrade of every release to R80.20 uses the normal CPUSE package and is fully supported, except R80.20M1 which is different. 

Why? We started to implement new/improved mgmt upgrade code which in the future will be our standard code and right now is only implemented from M1 to GA. So M1 upgrade is still “escorted”. We have now updateability to the update code itself, so we can later (after its fully tested) make the m1 upgrade also go thru the normal CPUSE package. 

Employee+
Employee+

Re: Check Point R80.20 Now GA

Oops missed #4

4. Accelerator card support is in EA and runs in production - please join the EA and help us get it released faster. 

phlrnnr
Copper

Re: Check Point R80.20 Now GA

Can you email me with more info about what the accelerator card will do, what appliances it will work in, etc?  How do I join the EA for this?  I'm very interested in this, particularly for SSL offload.

0 Kudos
Employee+
Employee+

Re: Check Point R80.20 Now GA

You're welcome to review R80.20 Security Management features with Check Point R80.x Cloud Demo

Re: Check Point R80.20 Now GA

Not sure if my calulator is wrong, or something is not correctly counted within Object Explorer. Taken from R80.20 Demo Mode. The same incorrect number is seen also in real mode.

According Object Explorer there are 8984 objects in total, but in fact if we count all objects in Categories, we will get 8195.

Kind regards,
Jozko Mrkvicka
0 Kudos
Employee+
Employee+

Re: Check Point R80.20 Now GA

Thank you Jozko Mrkvicka‌, we'll look into this

Re: Check Point R80.20 Now GA

So I did my AIO upgrade to R80.20 at the weekend - rolled back to day after some issues. Upgrade from R80.10 with JHF T141.

I am running a system with PPP interfaces and thus SecureXL is permenantly disabled. I discovered after the upgrade that SecureXL has changed in the way that it is configured, I no longer had an option in cpconfig to disable it and the "cp_conf sxl enable/disable" as per the guide wasn't a flag cp_conf recognised.

This left me in a predicament, as that is obviously our gateway out to the wider world. I found I could work around this by disabling the various parts of SecureXL manually, but still had sporadic traffic throughput issues and "fwaccel stat" still reported that "Throughput acceleration was enabled" even though all the features I could find to disabled, were so.

Has there been a change in R80.20 where SecureXL is now a required item and thus cannot be disabled?

I also noted that it was listing interfaces, so made some assumptions that SecureXL could be enabled and disabled on a per-interface basis which seems interesting, not too certain how that works with my historical understanding of traffic being forwarded between accelerated and non-accelerated interfaces.

Overall, other than this issue - which is just simply a deal killer for me I was pleased with the experience. The new console is smart (no pun intended) and it feels overall more polished. Still some issue swith scaling and the like in Windows 10 when viewing the topology, but minor niggles.

If someone could clarify the SecureXL situation in R80.20 that would be great.

0 Kudos

Re: Check Point R80.20 Now GA

Hi Daniel, why don't you want to disable acceleration with fwaccell off command?

0 Kudos

Re: Check Point R80.20 Now GA

That's fine for run-time but comes back on at boot. It also didn't resolve all of my SecureXL related issues.. as it said there was still acceleration features enabled.

0 Kudos

Re: Check Point R80.20 Now GA

Oh, I see, you want to off-load SXL completely from the kernel. 

0 Kudos

Re: Check Point R80.20 Now GA

Yeah like we used to through cpconfig. But that option seems to be missing.

0 Kudos

Re: Check Point R80.20 Now GA

I do also have problems with SecureXL. After disable SecureXL ( fwaccel off -a) all my connections problems gone (even UDP). But unfortunately they are activated after policy installation or reboot. I have to rollback to R80.10.

0 Kudos