Any chance to get SNI support on top of R80.20?

I have a project with tight timelines, so no time to upgrade to R80.30.

Thanks!

@Oren_Segev can you answer?

Also,  the bypass based on Verified Subject Name would be awesome.

I promise to upgrade to R80.30 once the project is done 🙂

There is an SNI package on top of R80.20 JHF take 47. You need to ask your SE to contact Solution Center 

Thanks Oren,

Does it cover the bypass based on Verified Subject Name?

Hi Paul,

That would be correct. 

Hi,

we did a hardware upgrade this week of an appliance with R80.30 to R80.30 with Gaia 3.10.

On the way we hit a bug with the NIC driver for the x710 (HP brand in HP DL360 Gen10 ) in conjunction Cisco Nexus 5x.
The driver works i.e. with Cisco Nexus 9x series and other Cisco Switches. On the other hand a NIC driver from a current CentOS also works with the Nexus 5x. We'll file a bug report later on this. Bug itself, we do not get a stable link (flapping) Just a heads up. 

A real issue though with new 3.10 new Gaia is something else. While the release notes state there is no option for a connectivity upgrade, which is ...somewhat ok, a more hidden gem escaped our sight.

• MAC magic configuration is no longer needed

Not longer needed or supported? 80.30 brought the automatic calculation back but you could still set the MAC magic manually to go into a ready state. Now you may run into an active/active situation, as it's no longer possible to set the MAC magic.

I wonder if there is any documentation for this, how cluster detection works now with R80.30 3.10. If the effects we experienced are now the new default when you get multiple clusters on the same network. Like any kind of technical information.

@Christoph 

The second position in the SK you are quoting is the answer: 

• MAC magic configuration is no longer needed
• CCP encryption is enables by default

It is documented with R80.30 ClusterXL guide, I believe

@_Val_ 

MY problem is, with R80.30 3.10  new gaia, everything about MAC magic and therefore cluster detection is gone.

R80.30 ClusterXL guide looks outdated in regards to 3.10 new gaia. Right now I'm wondering if this is a limitation or a feature (as in "is no longer needed").

EDIT: Ok, I see. So if I had disabled encryption on the new GW or enabled it on the old one, both machines, with the same policy would've been able to see each other, had some kind of trust relationship and I would have seen one machine active and one ready?

@Christoph yes 🙂

R80.40 is 3.10 kernel only and is in GA. So by definition, it supports all appliances. You are welcome to try R80.40

Hi Dorit!

80.40 is not an option.  We *JUST* got the management machines up to 80.30 2 weeks ago and that was a 23-hour-long-nightmare of an upgrade.

Does that mean we'll have to wait for 80.40 to get the 3.10 kernel on our security gateways?  Why was it available for the management platform and not the gateways at the same time? 

I feel like the security gateways should have been more of the priority since they're the worker bees in this giant machine and find it very frustrating that 80.30 T300 is out, but does not support the 15600's with regards to the 3.10 kernel.

Not sure what you expect from 3.10 ... With large number of cores there were major changes with user space fw so the high end high cores appliances (e.g., 23900)  were certified for R80.30 3.10.
The support is partial as we dont support cross os in place upgrades in the R80.30 version. 

So why management server?

1. has major benefits due to lots of disk i/o improvements w the new file system

2. the management server has no kernel component so it is supported on 3.10 already from R80.30 (it was very easy and required no major code changes). 

bottom line: management is supported for many releases due to major benefits and being straightforward. In general, introducing such changes in existing versions jumbo adds risk so we prefer to add them in new versions. In special cases like large number of cores, when there are critical improvements, we do add the needed support. 

two more comments...

1. with R80.20, R80.30 and R80.40 has new managements upgrade code so upgrade from mgmt R80.30 to R80.40 should be simpler and faster than upgrades from R80.10 or R77.30 

2. some time after GA, we will add forward compatibility for R80.30 mgmt to manage R80.40 GW like done with R80.20 to manage R80.30 GW (jumbo of R80.30 that will be certified to manage .40GW). Once this is done, you can enjoy Gw R80.40 w 3.10 without management upgrade 

Thanks for the explanation, Dorit.

We were severely bitten by the optical network adapter bug on 3150's on our upgrade to 80.30, and I'm still salty from losing 2 full weekends of my life that I'll never get back.

My understanding was the 3.10 kernel would provide a lot of performance increases, which we desperately need on some of our infrastructure.

Hopefully, what I've been told about 80.30 not restarting SecureXL will be enough to keep Skype traffic from utterly barfing when we push policy during the day.

At the risk of not knowing your configuration:

1. SXL keeps enabled during install policy is there from r80.20 and is regardless of linux kernel

2. Most other performance improvements (better CPS for example) came w R80.20. specifically 3.10 kernel does not  generally change performance of traffic (it does impact other things like disk i/o which is important for management when you use new file system) 

So i am not clear that you will benefit from 3.10 for the GW (all you need seems to me like exists in both flavors) ...

BUT please check me as i dont know your exact needs. 

Finally, I must apologize for bad experience you had on mgmt upgrade.
As you know, mgmt does support 3.10 in R80.30. i hope to improve from this going forward and hope to improve error handling in the future.

Hopefully when mgmt forward compatibility jumbo comes out, you will be able to manage R80.40 GW without touching your management