Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MVS_VF
Participant
Jump to solution

Does Multi-Domain Server always need to have higher hotfix version than the Firewall Gateway in it?

Dear Friends!

Please advise if Check Point Multi-Domain Server always need to have the higher hotfix version than the Firewalls in it ?

Currently my Check Point Multi-Domain Server are R81.20 Jumbo Hotfix Take 41 and so are my firewalls on exactly same version.

I am planning to take 'ONLY' my firewalls to recommended Jumbo Hotfix Accumulator take 65;

1) Can I do it without any hinderance or effect any of the cluster firewalls or MDS?

2) If I ALSO do HF upgrade on Check Point Multi-Domain Server and it will definitely restart, will this effect my firewalls in any way?

Kr,

MVS

0 Kudos
1 Solution

Accepted Solutions
Tomer_Noy
Employee
Employee

This is a useful post from a while back (that is still relevant):
https://community.checkpoint.com/t5/Management/Management-JHF-Did-You-Know/m-p/56880/highlight/true#... 

Bottom line:

  1. Yes, you can install newer JHF on gateways without installing it on the Management.
  2. If you install an HF on the Management it will indeed restart the server, but short downtime on the Management should not affect gateway traffic.
    • There are some specific flows that involve the Management (such as CME autoscale, or updating DataCenter objects) but regular behavior should be unaffected.

View solution in original post

0 Kudos
2 Replies
Bob_Zimmerman
Authority
Authority

Certain firewall versions require the management run a jumbo equal to or higher than a certain version. This mostly affects managing newer minor versions. For example, R81.10 jumbo 82 adds the ability to manage R81.20 firewalls.

Some branded hardware requires a particular jumbo for management to be supported. For example, R81.10 jumbo 141 adds the ability to manage 9000-series branded boxes.

Fixes to some issues may need a certain jumbo to be on the management to affect how policy is built.

 

Other than those three situations, the management jumbo is mostly independent of the firewall jumbo. That said, updating a management is a lot less risky and a lot lower impact than updating firewalls. Why not do it first?

0 Kudos
Tomer_Noy
Employee
Employee

This is a useful post from a while back (that is still relevant):
https://community.checkpoint.com/t5/Management/Management-JHF-Did-You-Know/m-p/56880/highlight/true#... 

Bottom line:

  1. Yes, you can install newer JHF on gateways without installing it on the Management.
  2. If you install an HF on the Management it will indeed restart the server, but short downtime on the Management should not affect gateway traffic.
    • There are some specific flows that involve the Management (such as CME autoscale, or updating DataCenter objects) but regular behavior should be unaffected.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events