- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: R81.20 feedback
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R81.20 feedback
Hey guys,
Figured would share my feedback so far on brand new distributed install of R81.20 in esxi lab. I really do like zero phishing feature, though for that to work, https inspection has to be on, so may try that out some time this week.
In all honesty, I dont see any drastic changes from R81.10 as far as policy layout, log filtering, IPS...
Also, not sure if this is just my lab, but I made few rule changes and for some reason, accelerated policy push never takes an effect, though its not disabled.
Just my 100% honest feedback, looks good so far, but the real test would be to see it in busy production environment.
Anyway, thats all I can think of for now. Will add more things as I do more testing : - )
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I expected, the End of Support date for R81.20 date has been adjusted.
It is now officially November 2026 per the Support Life Cycle Policy page:
https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accelerated policy push works, just took some time to "kick in". Will try autonomous threat prevention this week and see how it performs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This also seems to be cosmetic, as SIC works fine and ips is up to date:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you notice the WHAT'S NEW page still says Coming soon 2022 R81.20 ? 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes sir :). Im just posting things as I see them in my lab...this is more for anything thinking of upgrading and if any questions. Im happy to test anything in the lab, because quite frankly, no one will cry if that lab breaks, haha. We will just build brand new one, takes 2-3 hours.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool. I have an opportunity to test it with R80.40 VSX over the next few days (also in a lab), and will try a VSX upgrade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice to see the Changes view in the title bar. PNG attached.
Won't spam you here (thanks 🙂 ), but a good thread to share anything specifically interesting in R81.20.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No spamming brother, all good, haha...Im happy to hear any feedback, thats what whole community is about. Anyway, I also attached an example of that, yes, indeed, VERY NICE.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mmmm...
I got a Granularity Validation error. Searched 'granularity' in the RN and SMS Admin Guide but didn't see anything specific.
It went away when I removed logging from the cleanup rule (in Standard).
I had added a bunch of rules (via API command) and then manually deleted them and then it would not let me publish until I turned Track to None.
A few other changes and then I set it back to Log and it Publishes fine...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying this was the error when ONLY implicit clean up rule was there?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is about the default Cleanup rule (explicit)...
...and what I think it comes down to is this API command is maybe some-how working differently (to manual setting) in R81.20, and that is with regards to the settings of the Log (Track > Log) option. Meaning that if you set the Cleanup rule with the command below and then try to publish it may fail.
And yet, I cannot see a difference (see attached) when doing Track > Log manually or API-lly
(shrugs)
set access-rule layer "Network" name "Cleanup rule" track "Log" install-on Corp-GW
NOTE:
This site is anoying when it won't let me paste screenshots in (CTRL + V) and spits out errors about other things too.
"Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't reproduce it now (in Standard). May have to try in a brand new policy (or on a clean build (some other time))..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try it in a bit in my lab. Will change current policy for clean up rule to be like yours and see what happens and then test with new policy with clean up rule only. Btw, I said implicit, as I meant implicit as last rule all the way at the bottom, vs explicit clean up rule, meaning clean up at bottom of every inline layer (if one existed), thats all : - )
Anywho, will update shortly.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just tested it, no issues on my end. Not sure if its something to do with VSX vs regular gateway...its possible. I mean, I dont see why it would, but not 100% certain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ACK
I did the API config on the clean build (using a dummy SG object (no SIC) to let the API script put it in the rules (Stealth and Install on)).
VSX Cluster addition came later.
Will try to reproduce when the opportunity presents again soon 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just an update on this 'Validation error' with the Granularity message.
I just saw it on an R81.10 clean build (R81.10 Build 220 (T335 ISO)) and SmartConsole R81.10 B402) . Meaning that it is not specific to R81.20 but it is still strange.
I used the API commands again and it may come down to the one specific line which changes the default Cleanup rule Track to Log:
set access-rule layer "Network" name "Cleanup rule" track "Log" install-on A-GW
I got rid of the Validation error simply by removing the Log option and then putting it back in manually.
That's it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes.
Short answer 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One other feedback I have for anyone in R&D who sees my post is this...I wish CP would FINALLY fix the issue with hit count on NAT rules. We were told even back in R81 and this would work (it did NOT) and then R81.10 (again, it did not, or it was very inconsistent, to put it bluntly) and I even had TAC case opened for this, as customer was curious and guy said he was going to investigate and literally came back next day saying R&D informed him that this was "work in progress". I mean, not sure why this is so hard to fix, because it would be nice if customers could see the hit count on their nat rulebase. Same exact issue in R81.20, it simply does not work...very disappointing, sorry guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we had some problems in Nat rulebase , but they are solved in the R81 jumbo take 36 (and in later versions )
I will contact you privately in order to understand the problem .
best regards .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone thinking of installing R81.20 as standalone...my advice, DO NOT do it : - ). I tried it 3 times...1st time, everything was so messed up, literally nothing worked. 2nd time, I got it installed, but internal CA was missing (???!!!), how, dont ask, I have no clue in the world. 3rd time, it worked, BUT, after about 30 mins, could not open default policy package, tried cloning, creating new one, nothing...so I totally gave up on it. Distributed seems to work well so far...some minor glitches here and there, but pretty solid I would say.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @the_rock , thanks for your feedback.
Can you please share more details on your standalone machine , ( appliance type , memory , disk space , any other configuration you can share ? )
I would like to check this issue internally.
Best Regards,
Hen.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Hen_Hertz
Yes, it was VM, 500GB space, 16 GB ram, 8 CPUs. I would hope thats more than enough -:)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's the disk / storage configuration / controller type for that 500GB out of interest?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Chris_Atkinson ...sorry brother, went for a 10 km (6 miles run), but Im very SLOW runner, so that almost 80 minutes (haha). Weather is too nice here in Ottawa, Canada...end of November, pretty shocking, but yesterday was 10 C (50 F), so better use it while it lasts.
Anywho, to answer your question, I put below what I allocated all 3 times, though Im 100% positive that was NOT the issue, as I did R81.10 standalone before with way less space and never a problem
1st time - / dir 60 GB, /var/log/ 150 GB
2nd time - / dir 70 GB, /var/log 200 GB
3rd time - / dir 75 GB, /var/log 200 GB
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree it's unlikely to be space related, I need to visit to check out the craft beer scene in Canada - heard it's amazing.
Is the volume split across multiple disks or single and what is the storage controller choice used for the VM?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont drink beer, so could not comment on it, but yes, there are all sorts of beers everywhere, so there is one for everyone lol
Anyway, I tried multiple disks, single with lots of space, tried different controllers available, no luck. Here is another messed up thing I discovered...so the error "policy could not be loaded" came up even in distributed environment when I enabled qos and policy server blades and pushed the policy and then reopened the smart console, that error popped up. Disabled qos, tried again, same issue, disabled policy server, so once both blades were off, all worked again. I really find it a bit surprising Im discovering all these problems as I go along...its something I never encountered in even brand new R81.10 when it came out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @the_rock can we please take it offline ?
Could you please approach me about this issue via email henhe@checkpoint.com
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it’s any consolation, I wasn’t doing much faster than 80 minutes for a 10k…as of earlier this year.
Still working on getting back into shape and running regularly.
At least the weather is better where I live now 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, if you do simple math, lets see...so FASTEST runner in the world (cant remember his name now), ran full marathon in exactly 2 hours and some mere seconds. So, thats 120 minutes divided by 42.2 km, thats 2.84 mins/kilometre. Buddy, I dont think I can bike 1 km in that time, pretty insane. I mean, I did 1 marathon in my life and took 6 hours and 23 mins, never doing that again LOL.But, my brother loves it, he did probably close to 20 marathons now...anyway, to each their own : - ). Staying healthy is most important thing, no matter how its done!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wonder why you didn't invest your testing time (but now you do) in an EA install and give your feedback there so some/all of these issues could have been addressed there - before this version came out...