Why does it seems that every new CheckPoint release is missing some major potion of the functionality that was present in previous versions?
We are running an R77.30 cluster for our Internet facing firewall. On that cluster we are running most of the Threat Prevention Suite including HTTPS inspection, Threat Extraction and Threat Emulation. We have been "in the process" of upgrading the cluster since September.
Every time we settle on a target version, we get just about up to implementing it, only to discover that the target version is missing some functionality that we really need.
We were quite close to taking the cluster live on R80.20 back in February, but ran into some networking problems the night of go-live and reverted back to R77.30. It turns out that was a good thing, as we informed a few days later that the SNI hot fix, which I had already requested, was not available for R80.20 and there was no plan to provide it. We really need the SNI hotfix. We had to turn off Probe Bypass because it does not support SNI sites at all, even if the site does not actually use or need SNI. Without Probe Bypass, HTTPS Inspection is not as nicely implemented, and we suffer a slow roil of frustrated users and automated processes whose first connection to a site fails, since the HTTPS inspection engine must inspect the first connection in a 24 hour period to tell if it should inspect or bypass inspection. If the site is on the bypass list, the first connection fails as it had to be inspected in order to tell.
The word in February was that there was no plan to provide the SNI hot fix for R80.20, even though it had been out for some time for R80.10. We were told to either use R80.10 or wait for R80.30, which would be out really soon now. R80.30 would have the SNI hot fix baked in.
So, for various reasons, it turned out the next time we could attempt to implement a cluster upgrade would be the end of May. My boss told me to plan for R80.10 for that date, so we could get the SNI hot fix. In the meantime, R80.30 finally was released to GA.
The new features list for R80.30 is impressive, and it turns out we really need one of those features: R80.30 finally supports the full gamut of encryption protocols for TLS 1.2. We have been seeing a fair number of sites are configured to only allow these new R80.30 supported encryption protocols. I don't know if the sites are misconfigured, or if they know something that I don't, but I do know that we have had to write a number of HTTPS Inspection Bypass rules because these protocols have not been supported for HTTPS Inspection until now.
So crazy me, I read through all the Release Notes and Limitations and a bunch of other R80.30 docs and then convinced my boss that we should move everything to R80.30. I mean, we still had two weeks left until the scheduled upgrade date: Plenty of time to re-image the new servers and use the fail over management system to upgrade to R80.30 management as well.
So, I was pretty aghast when I found out yesterday that the Mobile Access Portal hot fix, sk113410, is not available for R80.30. The Mobile Access Portal is the front end to the SSL Network Extender, which we use for external vendor and employee access to our internal network. Over half of those users are using browsers other than Internet Explorer. That's a real problem, because without the sk113410 patch, the Mobile Access Portal only supports IE on Windows. There is no mention of this lack of an sk113410 patch in the R80.30 Limitations document. The SK article for sk113410 was updated yesterday, after my call on the subject to CheckPoint TAC, stating that there would be no hot fix for R80.30 until Q3 or Q4 2019.
Look, I understand the software development cycle and the need to fork the code somewhere in order to start on the new version. But when you have added functionality in widely used hot fixes already available for prior releases, it seems to me you should either plan to incorporate the hot fixes into the forked code base, as they did with the SNI hot fix for R80.30, or develop a version of the hot fix for the new version before general release.
I am so frustrated with CheckPoint right now.... I had to go back to my boss and explain that we would not be able to go to R80.30 after all. So, now were are back to R80.10 for our end of the month upgrade. I sure look stupid. My boss' comment was: "Why do they keep doing this? I don't remember ever having similar issues with Cisco or Palo Alto firewalls at previous jobs."
Why does does CheckPoint keep releasing new versions without functional parity with prior releases?