Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

R80.30 Technical Update TechTalk

Our 12 June 2019 TechTalk on R80.30 covered the following topics:

  • New Check Point Appliances (16000 and 26000 Series)
  • R80.30 OS Kernel 3.10
  • User Mode Firewall
  • New in SSL Inspection
  • Web Threat Extraction

Presentation Materials are available for CheckMates members:

Q&A from the session that we did not get answers for will added in the comments in the coming days.

28 Replies
PhoneBoy
Admin
Admin

Is R80.30 3.10 for Gateways in GA yet?

The new appliances announced (16000/26000) ship with this release. We expect it to be available shortly for other appliances.

Why must I do a fresh install for R80.30 3.10 takes?

This is because R80.30 with the Linux 3.10 kernel for gateways is not fully GA yet. Installation and regular Jumbo Hotfixes installable via CPUSE once available via GA.

Will I need to do a fresh install to upgrade to R80.30 3.10?

While you can upgrade using CPUSE, a fresh install is required to leverage the new filesystem and partition table.

Assuming the hardware is supported, are there any reasons not to upgrade from R80.20 to R80.30 in a production environment?

Generally, no, especially if you require the new features and functionality in R80.30. That said, R80.20 is currently the default release offered via CPUSE. See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

What are the performance numbers of the 16000/26000 Appliances with HTTPS Inspection enabled?

We will release these numbers soon. 

What about ClusterXL Load Sharing Support?

Not supported in R80.20 or R80.30, but we plan to add it in a later release.

What improvements are made in the API with R80.30?

Refer to the Changelog for API v1.5 for details. Note there are not been any significant changes with respect to editing VSX or cluster objects, which are changed planned for future releases.

PhoneBoy
Admin
Admin

We currently manage R80.20 gateways with R80.10 MDS, with the required Jumbo. Will this 'forward compatibility' be available in a future jumbo?

Yes, we have a patch for this already available through the TAC. It will be incorporated into a future jumbo. Keep in mind some R80.30 specific features may not operate unless an R80.30 or above manager pushes the policy.

SNI functionality has been an issue for us, as we use HTTPS inspection extensively in R80.10. I understand this is to be included 'in base build' for R80.30? Is this the case?

Yes, it's included in the base release, no special hotfix required.

Will the CPUSE upgrade procedure from 80.20 to 80.30 for MDM Server working well? Or what is the suggested upgrade method?

It's the same methods as previously supported (e.g. CPUSE upgrade or migrate export/import).

One feature in R80.30 is that Policy-Based Routing now supports default gateway. Can this be used to have ISP redundancy with more than 2 providers?

For situations where some traffic goes out ISP-A and other traffic goes out ISP-B, yes.
You can also do this with ECMP for pure load balancing.
However, if NAT is required and different NAT is required for different ISP links, this is not supported outside of using ISP Redundancy, which is still limited to 2 ISPs.

Paul_Gademsky
Employee
Employee

Is there more details available on this?
One feature in R80.30 is that Policy-Based Routing now supports default gateway. Can this be used to have ISP redundancy with more than 2 providers?
For situations where some traffic goes out ISP-A and other traffic goes out ISP-B, yes.
You can also do this with ECMP for pure load balancing.
However, if NAT is required and different NAT is required for different ISP links, this is not supported outside of using ISP Redundancy, which is still limited to 2 ISPs.
Thank you
0 Kudos
PhoneBoy
Admin
Admin

Not sure what details you're missing here.
Might be worth a separate thread to discuss your specific use case requirements.
0 Kudos
PhoneBoy
Admin
Admin

What are the plans to upgrade to a Linux kernel beyond 3.10?

The Linux 3.10 kernel we are using is based on the one that comes with RedHat Enterprise Linux 7.4, which enjoys long-term support. While we plan to update the kernel in the future, specific plans have not been finalized yet.

Is python expanded on the new code?

The python we include is used by parts of our product and is not designed for general use. 

When will support for Cisco UCS be added?

Requests for support for specific Open Server hardware should be relayed through your local Check Point office. 

Do we beed a browser add-on for Inline Web Threat Extraction?

As part of our SandBlast Agent offering, we do have a browser plugin. This is not required to use the Web Threat Extraction feature of R80.30, though.

What about Data Plane and Management Plane Separation in R80.30? 

Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

When will Updatable Objects and/or Security Zones be available for use in HTTPS Inspection?

Expected in upcoming releases.

Is Web Threat Extraction Available on All Appliances, Including Open Server?

Supported on 5000 Series appliances and up provided a minimum of 2.3G of free RAM is available. Should also work on similarly speced Open Server appliances.

Can we run a Standalone (Gateway and Management) in an appliance with SSD disks?

No, this is unsupported.

Does R80.30 Run on Maestro?

If and when this release is available for Maestro configurations, instructions will be provided how to upgrade.

With SSL inspection, blocking redirects usually tend to be an issue. Are there any plans like replacing webpage with blocking pages, instead of redirect?

Given we are not showing the original page, a HTTP REDIRECT is the appropriate, standard behavior.
If you have a requirement for this, please consult with your local Check Point office.

What is the status of IPv6 with Kernel 3.10 with IPv6 for both VSX and MDS?

R80.x Management must occur over IPv4 currently, which impacts MDS. Refer to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Does R80.30 support Log Exporter filtering?

Support will be added in an upcoming Jumbo Hotfix.

Marcos_Vieira
Contributor

Please. Take a look in the pricelist that states that the 16000 and the 26000 with SSD disks do both include NPM and LOGS licenses. Since a standalone installation is not supported in this case the pricelist should be corrected.
0 Kudos
PhoneBoy
Admin
Admin

I noted in the Q&A during the session that the pricelist was incorrect here--we'll update it.
0 Kudos
Alex_Shpilman
Collaborator

Any chance to get SNI support on top of R80.20?

I have a project with tight timelines, so no time to upgrade to R80.30.

Thanks!

0 Kudos
_Val_
Admin
Admin

@Oren_Segev can you answer?

0 Kudos
Alex_Shpilman
Collaborator

Also,  the bypass based on Verified Subject Name would be awesome.

I promise to upgrade to R80.30 once the project is done 🙂

0 Kudos
PhoneBoy
Admin
Admin

I believe there is a customer-release that enables this.
Please check with your local Check Point office.
0 Kudos
Oren_Segev
Employee
Employee

There is an SNI package on top of R80.20 JHF take 47. You need to ask your SE to contact Solution Center 

Alex_Shpilman
Collaborator

Thanks Oren,

Does it cover the bypass based on Verified Subject Name?

0 Kudos
Oren_Segev
Employee
Employee

Yes
0 Kudos
Paul_Gademsky
Employee
Employee

Seeing this statement 'The Linux 3.10 kernel we are using is based on the one that comes with RedHat Enterprise Linux 7.4, ....' makes me wonder if when building VMs, we should change the selection from Redhat Enterprise 5, 64 bit to 7, 64 bit. Thoughts?
0 Kudos
Jeff_Engel
Employee
Employee

Hi Paul,

That would be correct. 

PhoneBoy
Admin
Admin

That's what I do personally.
Christoph
Collaborator

Hi,

we did a hardware upgrade this week of an appliance with R80.30 to R80.30 with Gaia 3.10.

On the way we hit a bug with the NIC driver for the x710 (HP brand in HP DL360 Gen10 ) in conjunction Cisco Nexus 5x.
The driver works i.e. with Cisco Nexus 9x series and other Cisco Switches. On the other hand a NIC driver from a current CentOS also works with the Nexus 5x. We'll file a bug report later on this. Bug itself, we do not get a stable link (flapping) Just a heads up. 

A real issue though with new 3.10 new Gaia is something else. While the release notes state there is no option for a connectivity upgrade, which is ...somewhat ok, a more hidden gem escaped our sight.

  • MAC magic configuration is no longer needed

Not longer needed or supported? 80.30 brought the automatic calculation back but you could still set the MAC magic manually to go into a ready state. Now you may run into an active/active situation, as it's no longer possible to set the MAC magic.

I wonder if there is any documentation for this, how cluster detection works now with R80.30 3.10. If the effects we experienced are now the new default when you get multiple clusters on the same network. Like any kind of technical information.

 

 

 

 

0 Kudos
_Val_
Admin
Admin

@Christoph 

The second position in the SK you are quoting is the answer: 

  • MAC magic configuration is no longer needed
  • CCP encryption is enables by default

It is documented with R80.30 ClusterXL guide, I believe

0 Kudos
Christoph
Collaborator

@_Val_ 

MY problem is, with R80.30 3.10  new gaia, everything about MAC magic and therefore cluster detection is gone.

R80.30 ClusterXL guide looks outdated in regards to 3.10 new gaia. Right now I'm wondering if this is a limitation or a feature (as in "is no longer needed").

 

EDIT: Ok, I see. So if I had disabled encryption on the new GW or enabled it on the old one, both machines, with the same policy would've been able to see each other, had some kind of trust relationship and I would have seen one machine active and one ready?

0 Kudos
_Val_
Admin
Admin

@Christoph yes 🙂

0 Kudos
Tommy_Forrest
Advisor

Is there an ETA on when we'll see the 3.10 kernel for security appliances other than 16k, 23k and CloudGuard?

Specifically thinking around the 15600's.

0 Kudos
Dorit_Dor
Employee
Employee

R80.40 is 3.10 kernel only and is in GA. So by definition, it supports all appliances. You are welcome to try R80.40

0 Kudos
Tommy_Forrest
Advisor

Hi Dorit!

80.40 is not an option.  We *JUST* got the management machines up to 80.30 2 weeks ago and that was a 23-hour-long-nightmare of an upgrade.

Does that mean we'll have to wait for 80.40 to get the 3.10 kernel on our security gateways?  Why was it available for the management platform and not the gateways at the same time? 

I feel like the security gateways should have been more of the priority since they're the worker bees in this giant machine and find it very frustrating that 80.30 T300 is out, but does not support the 15600's with regards to the 3.10 kernel.

0 Kudos
Dorit_Dor
Employee
Employee

Not sure what you expect from 3.10 ... With large number of cores there were major changes with user space fw so the high end high cores appliances (e.g., 23900)  were certified for R80.30 3.10.
The support is partial as we dont support cross os in place upgrades in the R80.30 version. 

So why management server?

1. has major benefits due to lots of disk i/o improvements w the new file system

2. the management server has no kernel component so it is supported on 3.10 already from R80.30 (it was very easy and required no major code changes). 

bottom line: management is supported for many releases due to major benefits and being straightforward. In general, introducing such changes in existing versions jumbo adds risk so we prefer to add them in new versions. In special cases like large number of cores, when there are critical improvements, we do add the needed support. 

0 Kudos
Dorit_Dor
Employee
Employee

two more comments...

1. with R80.20, R80.30 and R80.40 has new managements upgrade code so upgrade from mgmt R80.30 to R80.40 should be simpler and faster than upgrades from R80.10 or R77.30 

2. some time after GA, we will add forward compatibility for R80.30 mgmt to manage R80.40 GW like done with R80.20 to manage R80.30 GW (jumbo of R80.30 that will be certified to manage .40GW). Once this is done, you can enjoy Gw R80.40 w 3.10 without management upgrade 

0 Kudos
Tommy_Forrest
Advisor

Thanks for the explanation, Dorit.

We were severely bitten by the optical network adapter bug on 3150's on our upgrade to 80.30, and I'm still salty from losing 2 full weekends of my life that I'll never get back.

My understanding was the 3.10 kernel would provide a lot of performance increases, which we desperately need on some of our infrastructure.

Hopefully, what I've been told about 80.30 not restarting SecureXL will be enough to keep Skype traffic from utterly barfing when we push policy during the day.

0 Kudos
Dorit_Dor
Employee
Employee

At the risk of not knowing your configuration:

1. SXL keeps enabled during install policy is there from r80.20 and is regardless of linux kernel

2. Most other performance improvements (better CPS for example) came w R80.20. specifically 3.10 kernel does not  generally change performance of traffic (it does impact other things like disk i/o which is important for management when you use new file system) 

So i am not clear that you will benefit from 3.10 for the GW (all you need seems to me like exists in both flavors) ...

BUT please check me as i dont know your exact needs. 

Finally, I must apologize for bad experience you had on mgmt upgrade.
As you know, mgmt does support 3.10 in R80.30. i hope to improve from this going forward and hope to improve error handling in the future.

Hopefully when mgmt forward compatibility jumbo comes out, you will be able to manage R80.40 GW without touching your management 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events