Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

R81.20 feedback

Hey guys,

Figured would share my feedback so far on brand new distributed install of R81.20 in esxi lab. I really do like zero phishing feature, though for that to work, https inspection has to be on, so may try that out some time this week.

In all honesty, I dont see any drastic changes from R81.10 as far as policy layout, log filtering, IPS...

Also, not sure if this is just my lab, but I made few rule changes and for some reason, accelerated policy push never takes an effect, though its not disabled.

Just my 100% honest feedback, looks good so far, but the real test would be to see it in busy production environment.

Anyway, thats all I can think of for now. Will add more things as I do more testing : - )

 

94 Replies
Hen_Hertz
Employee
Employee

@Martin_Hofbauer  we invested a lot of time and effort in testing of course - QA , EAs and checkpoint internal GWs. 

the_rock
Legend
Legend

Well, good point, but this is all lab, so no harm, haha.

the_rock
Legend
Legend

Latest update as of November 27, 2022:

For now, NAT hit count seems to work and IPS update shows green (as it should be), so thats good news. I will report back if any issues.

YosiHavilo
Employee
Employee

Hi  

Since you wrote that Nat hitcount is working , 

let me know if you need anything else .

Best regards .

the_rock
Legend
Legend

Well, for now its working, but it was never consistent with R81.10 either, so time will tell.

the_rock
Legend
Legend

Just a quick update, I re-enabled qos and desktop policy again (with exact SAME settings) and this time works fine. Let me monitor for few days and see if it stays stable.

Eugene_Brown
Participant

The end of support date needs to be pushed back later than October 2024. That's less than 2 years away. For an enterprise environment that not long enough to make it worth the effort of upgrading.

PhoneBoy
Admin
Admin

I would not be surprised if it ultimately is pushed back, given recent history.

the_rock
Legend
Legend

Im fairly positive it will be extended.

the_rock
Legend
Legend

Definitely something bunch of people said, so Im certain CP will take that into consideration.

PhoneBoy
Admin
Admin

As I expected, the End of Support date for R81.20 date has been adjusted.
It is now officially November 2026 per the Support Life Cycle Policy page:
https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support 

Eugene_Brown
Participant

That was quick! 😀 The decision help our 2023 planning a lot, cheers 👍

the_rock
Legend
Legend

Latest update...though NAT hit count does work, I would say it works 80% of the time and then randomly fails other 20%. I even built another brand new lab and its exact same behavior. By the way, I tried standalone config 2 more times and had EXACT same issue...policy would not load, internal CA was corrupt, so logically, it can only lead me to say that image used for it is wrong, not sure what else could be...though on support site, it shows its same image for mgmt, distributed and standalone config.

Other than that, Im very impressed with the R81.20. Zero phishing is great, https inspection as well, changes made prior to installing policy are now more clearly visible and user friendly (so to say : - )). Sadly, since I dont have actual physical CP appliance to test this, I cant comment on autonomous threat prevention, but on surface, looks promising.

Thats all for now, if anything else comes up, will update : - )

genisis__
Leader Leader
Leader

Great feedback the_rock.

The things you have found in a very short period, highlight, in my option that QA needs to be improved prior to release.  I would suggest that R81.20 does not get a 'recommended' installation status until at least Jumbo 100 (maybe excessive).

I say this because ultimately anyone upgrading to R81.20 does so to support the business and the last thing CP and its clients need is negative experiences when doing so.  

the_rock
Legend
Legend

Of course, happy to share anything I find. Again, just being brutally honest ( as I always am anyway), I did not notice any revolutionary changes from R81.10, but they may come in the future with JHFs. Having said that, I like the code in general and seems stable so far.

the_rock
Legend
Legend

To add to my last comment, I never really care how much work I put into something, as long as it HELPS other people, Im happy about it...just my mentality.

If you need me to try or test anything else in the lab, let me know. Kind of sucks I did not have enough space/resources to build a cluster on that esxi server, but for now, its managent and single gateway.

JozkoMrkvicka
Authority
Authority

Cannot Check Point upgrade their CheckMates Labs to include the latest GA version once it is released ?

Even better would be to deploy your own environment directly within Check Point Cloud, where you can play with the specific features and report to TAC/R&D directly. In such a case, you will simple provide some unique deployment ID and CP employees can check the LAB directly without asking any debugs (since they can access it and do whatever they need).

In the past I found couple of bugs, but since I was doing the testing on my personal workstation using VMware, I was not able to open the case and have a bug fixed...

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend

That question, I will let CP employees answer haha

_Val_
Admin
Admin

CP4B lab is already on R81.20, as far as I know. @Shay_Levin can you please confirm?

Shay_Levin
Admin
Admin

CP4B has R81.20 ISO images that can be manually deployed and also ready to use R81.20 snapshots that are corelated to the lab stages.

Chris_Atkinson
Employee Employee
Employee

I believe atleast some of the lab environments were already upgraded per:

Check Point for Beginners Network Security Lab now... - Check Point CheckMates

CCSM R77/R80/ELITE
Pedro_Madeira
Contributor

I'm still finding memory leak issues in R81.10 JHFA T79. So I will only migrate customers when we get to R81.20 JFA T80+

the_rock
Legend
Legend

Yes, 100% agree. I would totally wait until at least few jumbo hotfixes come out and its proven as stable. I dont want people to simply rely on all I say here, because lets be honest, its a lab with a single user behind it, so OF COURSE it will work : - ))

I more put up this post to talk about blades/features to begin with.

genisis__
Leader Leader
Leader

We deployed R81.10 with Jumbo T78 and private bundle, since then we have been stable.  I won't look at going further until the new year, but I will most certainly request TAC to create me a new bundle for the GA release at the time.

I know some more bugs fixes were included in T79, but not all.

the_rock
Legend
Legend

Good point @genisis__ . You know what they say, why fix it if it aint broke : - ). By the way, I saw some people had Radius auth issue in jumbo 79, but I see 81 also came out, but its not GA as of yet. Lets see when first JHF comes out for R81.20.

Jim_Holmes
Employee Alumnus
Employee Alumnus

I find picking a given JHA count/take not very helpful; I mostly recommend based on do you need a feature or after the version becomes the recommended version, and people seem happy with it. There are some customers I start early because they take forever to certify a release, and I really hate the fire drill when I tell them, "No you can't keep using version 3.0.B Build 315" (Don't laugh, they finally upgraded about 5 years ago). Ask your SE, and if are diamond, ask your diamond engineer, that's what we are here for.

Aka, Chillyjim
the_rock
Legend
Legend

@Jim_Holmes Its bit more complicated than that. See, TAC always tells people to install latest JHF (no matter the issue or if it has zero to do with the problem) because they claim thats what R&D always asks for.

Well, think about it...if they put themselves in customers' shoes, they would not be happy about that advice. So, yes, its fine to advise people to upgrade, but I find its more of a cop out NOT to truly help, than it is for customer's benefit. Anyway, just my opinion based on many experiences in the past dealing with that.

Ostensibly, thats advice most vendors may give, but in my mind, there is a HUGE difference giving such advice at the beginning, middle or end of the problem : - )

genisis__
Leader Leader
Leader

My biggest wish for the New Year is for Checkpoint to aim to reduce the number of bugs by 70%.  They are a premium security vendor, but it does not mean anything to a business that is seeing stability issues due to bugs, after upgrades or Jumbo releases

Not only will the customers be happier, but also this would reduce the load on TAC who are already overloaded.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events