- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hey guys,
Figured would share my feedback so far on brand new distributed install of R81.20 in esxi lab. I really do like zero phishing feature, though for that to work, https inspection has to be on, so may try that out some time this week.
In all honesty, I dont see any drastic changes from R81.10 as far as policy layout, log filtering, IPS...
Also, not sure if this is just my lab, but I made few rule changes and for some reason, accelerated policy push never takes an effect, though its not disabled.
Just my 100% honest feedback, looks good so far, but the real test would be to see it in busy production environment.
Anyway, thats all I can think of for now. Will add more things as I do more testing : - )
As I expected, the End of Support date for R81.20 date has been adjusted.
It is now officially November 2026 per the Support Life Cycle Policy page:
https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support
Accelerated policy push works, just took some time to "kick in". Will try autonomous threat prevention this week and see how it performs.
This also seems to be cosmetic, as SIC works fine and ips is up to date:
Did you notice the WHAT'S NEW page still says Coming soon 2022 R81.20 ? 🙂
Yes sir :). Im just posting things as I see them in my lab...this is more for anything thinking of upgrading and if any questions. Im happy to test anything in the lab, because quite frankly, no one will cry if that lab breaks, haha. We will just build brand new one, takes 2-3 hours.
Cool. I have an opportunity to test it with R80.40 VSX over the next few days (also in a lab), and will try a VSX upgrade.
No spamming brother, all good, haha...Im happy to hear any feedback, thats what whole community is about. Anyway, I also attached an example of that, yes, indeed, VERY NICE.
Andy
Mmmm...
I got a Granularity Validation error. Searched 'granularity' in the RN and SMS Admin Guide but didn't see anything specific.
It went away when I removed logging from the cleanup rule (in Standard).
I had added a bunch of rules (via API command) and then manually deleted them and then it would not let me publish until I turned Track to None.
A few other changes and then I set it back to Log and it Publishes fine...
Are you saying this was the error when ONLY implicit clean up rule was there?
It is about the default Cleanup rule (explicit)...
...and what I think it comes down to is this API command is maybe some-how working differently (to manual setting) in R81.20, and that is with regards to the settings of the Log (Track > Log) option. Meaning that if you set the Cleanup rule with the command below and then try to publish it may fail.
And yet, I cannot see a difference (see attached) when doing Track > Log manually or API-lly
(shrugs)
set access-rule layer "Network" name "Cleanup rule" track "Log" install-on Corp-GW
NOTE:
This site is anoying when it won't let me paste screenshots in (CTRL + V) and spits out errors about other things too.
"Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."
I can't reproduce it now (in Standard). May have to try in a brand new policy (or on a clean build (some other time))..
I will try it in a bit in my lab. Will change current policy for clean up rule to be like yours and see what happens and then test with new policy with clean up rule only. Btw, I said implicit, as I meant implicit as last rule all the way at the bottom, vs explicit clean up rule, meaning clean up at bottom of every inline layer (if one existed), thats all : - )
Anywho, will update shortly.
Andy
Just tested it, no issues on my end. Not sure if its something to do with VSX vs regular gateway...its possible. I mean, I dont see why it would, but not 100% certain.
ACK
I did the API config on the clean build (using a dummy SG object (no SIC) to let the API script put it in the rules (Stealth and Install on)).
VSX Cluster addition came later.
Will try to reproduce when the opportunity presents again soon 🙂
Just an update on this 'Validation error' with the Granularity message.
I just saw it on an R81.10 clean build (R81.10 Build 220 (T335 ISO)) and SmartConsole R81.10 B402) . Meaning that it is not specific to R81.20 but it is still strange.
I used the API commands again and it may come down to the one specific line which changes the default Cleanup rule Track to Log:
set access-rule layer "Network" name "Cleanup rule" track "Log" install-on A-GW
I got rid of the Validation error simply by removing the Log option and then putting it back in manually.
That's it.
Yes.
Short answer 😉
One other feedback I have for anyone in R&D who sees my post is this...I wish CP would FINALLY fix the issue with hit count on NAT rules. We were told even back in R81 and this would work (it did NOT) and then R81.10 (again, it did not, or it was very inconsistent, to put it bluntly) and I even had TAC case opened for this, as customer was curious and guy said he was going to investigate and literally came back next day saying R&D informed him that this was "work in progress". I mean, not sure why this is so hard to fix, because it would be nice if customers could see the hit count on their nat rulebase. Same exact issue in R81.20, it simply does not work...very disappointing, sorry guys.
we had some problems in Nat rulebase , but they are solved in the R81 jumbo take 36 (and in later versions )
I will contact you privately in order to understand the problem .
best regards .
For anyone thinking of installing R81.20 as standalone...my advice, DO NOT do it : - ). I tried it 3 times...1st time, everything was so messed up, literally nothing worked. 2nd time, I got it installed, but internal CA was missing (???!!!), how, dont ask, I have no clue in the world. 3rd time, it worked, BUT, after about 30 mins, could not open default policy package, tried cloning, creating new one, nothing...so I totally gave up on it. Distributed seems to work well so far...some minor glitches here and there, but pretty solid I would say.
Hi @the_rock , thanks for your feedback.
Can you please share more details on your standalone machine , ( appliance type , memory , disk space , any other configuration you can share ? )
I would like to check this issue internally.
Best Regards,
Hen.
Hey @Hen_Hertz
Yes, it was VM, 500GB space, 16 GB ram, 8 CPUs. I would hope thats more than enough -:)
What's the disk / storage configuration / controller type for that 500GB out of interest?
Hey @Chris_Atkinson ...sorry brother, went for a 10 km (6 miles run), but Im very SLOW runner, so that almost 80 minutes (haha). Weather is too nice here in Ottawa, Canada...end of November, pretty shocking, but yesterday was 10 C (50 F), so better use it while it lasts.
Anywho, to answer your question, I put below what I allocated all 3 times, though Im 100% positive that was NOT the issue, as I did R81.10 standalone before with way less space and never a problem
1st time - / dir 60 GB, /var/log/ 150 GB
2nd time - / dir 70 GB, /var/log 200 GB
3rd time - / dir 75 GB, /var/log 200 GB
Andy
Agree it's unlikely to be space related, I need to visit to check out the craft beer scene in Canada - heard it's amazing.
Is the volume split across multiple disks or single and what is the storage controller choice used for the VM?
I dont drink beer, so could not comment on it, but yes, there are all sorts of beers everywhere, so there is one for everyone lol
Anyway, I tried multiple disks, single with lots of space, tried different controllers available, no luck. Here is another messed up thing I discovered...so the error "policy could not be loaded" came up even in distributed environment when I enabled qos and policy server blades and pushed the policy and then reopened the smart console, that error popped up. Disabled qos, tried again, same issue, disabled policy server, so once both blades were off, all worked again. I really find it a bit surprising Im discovering all these problems as I go along...its something I never encountered in even brand new R81.10 when it came out.
Hi @the_rock can we please take it offline ?
Could you please approach me about this issue via email henhe@checkpoint.com
Thank you!
If it’s any consolation, I wasn’t doing much faster than 80 minutes for a 10k…as of earlier this year.
Still working on getting back into shape and running regularly.
At least the weather is better where I live now 😉
Well, if you do simple math, lets see...so FASTEST runner in the world (cant remember his name now), ran full marathon in exactly 2 hours and some mere seconds. So, thats 120 minutes divided by 42.2 km, thats 2.84 mins/kilometre. Buddy, I dont think I can bike 1 km in that time, pretty insane. I mean, I did 1 marathon in my life and took 6 hours and 23 mins, never doing that again LOL.But, my brother loves it, he did probably close to 20 marathons now...anyway, to each their own : - ). Staying healthy is most important thing, no matter how its done!!
I wonder why you didn't invest your testing time (but now you do) in an EA install and give your feedback there so some/all of these issues could have been addressed there - before this version came out...
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
19 | |
17 | |
16 | |
11 | |
11 | |
7 | |
7 | |
6 | |
6 | |
5 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY