cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Admin
Admin

R80.30 Technical Update TechTalk

Our 12 June 2019 TechTalk on R80.30 covered the following topics:

  • New Check Point Appliances (16000 and 26000 Series)
  • R80.30 OS Kernel 3.10
  • User Mode Firewall
  • New in SSL Inspection
  • Web Threat Extraction

Presentation Materials are available for CheckMates members:

Q&A from the session that we did not get answers for will added in the comments in the coming days.

(view in My Videos)

Tags (1)
12 Replies
Admin
Admin

Q&A Part 1

Is R80.30 3.10 for Gateways in GA yet?

The new appliances announced (16000/26000) ship with this release. We expect it to be available shortly for other appliances.

Why must I do a fresh install for R80.30 3.10 takes?

This is because R80.30 with the Linux 3.10 kernel for gateways is not fully GA yet. Installation and regular Jumbo Hotfixes installable via CPUSE once available via GA.

Will I need to do a fresh install to upgrade to R80.30 3.10?

While you can upgrade using CPUSE, a fresh install is required to leverage the new filesystem and partition table.

Assuming the hardware is supported, are there any reasons not to upgrade from R80.20 to R80.30 in a production environment?

Generally, no, especially if you require the new features and functionality in R80.30. That said, R80.20 is currently the default release offered via CPUSE. See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

What are the performance numbers of the 16000/26000 Appliances with HTTPS Inspection enabled?

We will release these numbers soon. 

What about ClusterXL Load Sharing Support?

Not supported in R80.20 or R80.30, but we plan to add it in a later release.

What improvements are made in the API with R80.30?

Refer to the Changelog for API v1.5 for details. Note there are not been any significant changes with respect to editing VSX or cluster objects, which are changed planned for future releases.

Admin
Admin

Q&A Part 2

We currently manage R80.20 gateways with R80.10 MDS, with the required Jumbo. Will this 'forward compatibility' be available in a future jumbo?

Yes, we have a patch for this already available through the TAC. It will be incorporated into a future jumbo. Keep in mind some R80.30 specific features may not operate unless an R80.30 or above manager pushes the policy.

SNI functionality has been an issue for us, as we use HTTPS inspection extensively in R80.10. I understand this is to be included 'in base build' for R80.30? Is this the case?

Yes, it's included in the base release, no special hotfix required.

Will the CPUSE upgrade procedure from 80.20 to 80.30 for MDM Server working well? Or what is the suggested upgrade method?

It's the same methods as previously supported (e.g. CPUSE upgrade or migrate export/import).

One feature in R80.30 is that Policy-Based Routing now supports default gateway. Can this be used to have ISP redundancy with more than 2 providers?

For situations where some traffic goes out ISP-A and other traffic goes out ISP-B, yes.
You can also do this with ECMP for pure load balancing.
However, if NAT is required and different NAT is required for different ISP links, this is not supported outside of using ISP Redundancy, which is still limited to 2 ISPs.

Admin
Admin

Re: R80.30 Technical Update TechTalk

What are the plans to upgrade to a Linux kernel beyond 3.10?

The Linux 3.10 kernel we are using is based on the one that comes with RedHat Enterprise Linux 7.4, which enjoys long-term support. While we plan to update the kernel in the future, specific plans have not been finalized yet.

Is python expanded on the new code?

The python we include is used by parts of our product and is not designed for general use. 

When will support for Cisco UCS be added?

Requests for support for specific Open Server hardware should be relayed through your local Check Point office. 

Do we beed a browser add-on for Inline Web Threat Extraction?

As part of our SandBlast Agent offering, we do have a browser plugin. This is not required to use the Web Threat Extraction feature of R80.30, though.

What about Data Plane and Management Plane Separation in R80.30? 

Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

When will Updatable Objects and/or Security Zones be available for use in HTTPS Inspection?

Expected in upcoming releases.

Is Web Threat Extraction Available on All Appliances, Including Open Server?

Supported on 5000 Series appliances and up provided a minimum of 2.3G of free RAM is available. Should also work on similarly speced Open Server appliances.

Can we run a Standalone (Gateway and Management) in an appliance with SSD disks?

No, this is unsupported.

Does R80.30 Run on Maestro?

If and when this release is available for Maestro configurations, instructions will be provided how to upgrade.

With SSL inspection, blocking redirects usually tend to be an issue. Are there any plans like replacing webpage with blocking pages, instead of redirect?

Given we are not showing the original page, a HTTP REDIRECT is the appropriate, standard behavior.
If you have a requirement for this, please consult with your local Check Point office.

What is the status of IPv6 with Kernel 3.10 with IPv6 for both VSX and MDS?

R80.x Management must occur over IPv4 currently, which impacts MDS. Refer to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Does R80.30 support Log Exporter filtering?

Support will be added in an upcoming Jumbo Hotfix.

Re: R80.30 Technical Update TechTalk

Please. Take a look in the pricelist that states that the 16000 and the 26000 with SSD disks do both include NPM and LOGS licenses. Since a standalone installation is not supported in this case the pricelist should be corrected.
0 Kudos
Admin
Admin

Re: R80.30 Technical Update TechTalk

I noted in the Q&A during the session that the pricelist was incorrect here--we'll update it.
0 Kudos

Re: R80.30 Technical Update TechTalk

Any chance to get SNI support on top of R80.20?

I have a project with tight timelines, so no time to upgrade to R80.30.

Thanks!

0 Kudos

Re: R80.30 Technical Update TechTalk

@Oren_Segev can you answer?

0 Kudos

Re: R80.30 Technical Update TechTalk

Also,  the bypass based on Verified Subject Name would be awesome.

I promise to upgrade to R80.30 once the project is done 🙂

0 Kudos
Admin
Admin

Re: R80.30 Technical Update TechTalk

I believe there is a customer-release that enables this.
Please check with your local Check Point office.
0 Kudos
Employee
Employee

Re: R80.30 Technical Update TechTalk

There is an SNI package on top of R80.20 JHF take 47. You need to ask your SE to contact Solution Center 

Re: R80.30 Technical Update TechTalk

Thanks Oren,

Does it cover the bypass based on Verified Subject Name?

0 Kudos
Employee
Employee

Re: R80.30 Technical Update TechTalk

Yes
0 Kudos