- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: R81.20 not "recommended" yet
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R81.20 not "recommended" yet
As the title says, just wondering when... Released 5 months ago, seems a bit longer to move to recommended than past releases. Maybe i'm just too geeked up to get going with it.
Any ETA on the recommended blessing?
TIA
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I'd like to announce that due to the feedback in this forum we have decided to extend the support of R81.10 to July 2025 which represents full 4 years since its initial release. A formal announcements and update to the product life cycle page will probably take a few more days.
Second, we are in the final stages of QA testing JHF #2 for R81.20 and expect to release it during May. As you many of you are already familiar, we will promote this release to be "recommended" typically several weeks after its release and it is now expected to become "recommended" in June.
With an aim to create more predictability with support periods, I can further share that every future major or minor release will have full 4 years support from its release date.
Aviv
Product Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally and this is just my HONEST opinion, I would 100% install it on management server. On the gateway, nope...I would wait at least another few months. From all the tests I had done in the lab, management seems to perform well, but firewall is another story. Not saying its bad, but as far as Im concerned, not worth the upgrade yet.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Totally agree!
I would wait, realistically for at least another two JHFA's to be released, which I suspect takes you up to the end of this year (estimated).
Additionally I would wait even longer to deploy on VSX unless you have a UIT/SIT setup where you can thoroughly test your specific services through.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are my 2 biggest issues with R81.20 on the gateway from all the testing done in my lab. Again, just speaking for myself, maybe others have different experience.
1) Https inspection is very inconsistent, to put it nicely : - ). What I mean by that stement is following...say you block gambling category, k great, you go to olg.ca, gets blocked, fantastic. Then, 5 mins later, you refresh the page, same browser (mozilla), page is all "scrambled" and NOT blocked. You do same in Edge or chrome, works fine no matter how many times you refresh. Come back say 1 hour later, its the other way around, and even if I reset the browser, may work for 5-10 mins and again same problem. This NEVER used to happen back in R81.10 lab I had inspection on. By the way, its totally unrelated to my windows PC I tested with, as windows fw is disabled and I even tested brand new windows machine, exact same problem
2) Autonomous threat prevention is not working right at all. I had email chain last year with few people in R&D who told me that reason for why this was the issue back in R81.10 was amount of ram (I was very suspicious of that logic even back then), so to prove my point, I "slapped" on 32 GB of ram on R81.20 gw as they suggested, exact same problem...causes gw to "get stuck" when autonomous threat prevention is on, policy push is super inconsistent, but as soon as I disable this feature and go to having say only ips blade on, no issues even with 16 GB of ram installed.
But, in all fairness, other than these 2 issues, everything else seems fine, so who knows, maybe things get better with next jumbo, I have no idea...will have to wait and see 😇
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I would happy to check your issues regarding HTTPSi and blocking experience. Let's take it offline.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, funny enough, I spun up another VM on R81.20 with EXACT same things enabled like initial one (same mgmt server) and not https inspection works fine. How, dont ask me, as it makes no logical sense whatsoever, but I will take it, seems very consistent now : - )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
First, Thanks for your feedback.
in continuing our offline communication, I would like to better understand the Autonomous Threat Prevention issue.
I will be glad we have a conversation about what you have seen. If you have a reproduction it would be great as well.
Thanks,
Yair Danieli
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @yaird
I cant sadly replicate this at the moment, because physical appliance I tested this on before is not available any longer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've had no issues with R81.20 for management installations (Management, HA management, Smart Event and Log). Have been facing some issues where Log View in Smart Console is complaining about logs either being moved or corrupted. But I managed to fix this by running evstop, removing all indexing data, evstart to re-build all indexes and thus far the issue has not re-appeared. This has happened to me on two different R81.20 environments. But that is pretty much it. They are all running R81.20 + JHF Take 8.
On gateways on the other hand I've been facing far more issues. I wouldn't really recommended R81.20 for gateways unless you really want some of the new features. But customers love Network Feeds, and for good reason. It makes life so much easier when you can just toss well-known blacklists, vendor recommended whitelists and whatnot directly into your access policy. It also allows for network admins not familiar with Check Point to administer a server with lists for both whitelisting and blacklisting, just modify whatever txt or json you have on the server and the policy on the firewall will adopt it. IOC Feeds have allowed similar capabilities, but the procedure and compatibility is vastly superior with R81.20 and Network Feeds.
The one thing that strikes me as really odd with R81.20 is the lack of JHF's available. GA since November, and all we have thus far is a "latest", aka on-going JHF and that's it. I normally work with customers that are "early adopters", not EA customers, they don't work with yet-to-release BETA versions, but they are quite agile and often move to new versions before they become "widely recommended". R81.20 has to be the release with the slowest rollout of JHF's out of all R8X.XX releases? 5 months and just a single JHF which is not even recommended?
One could argue this might be because R81.20 is having very few issues. But then it comes off as quite odd for it not getting "recommended" status by now. And considering the amount of JHF's we've gotten for R80.40, R81 and R81.10 in the past 5 months, and how much of the code and daemons that are shared between versions I have a hard time believing that R81.20 isn't going to get a lot of the same changes. Once the next R81.20 JHF drops I'd bet the change-log is going to show a lot of similar changes as the past few JHFs for R81.10.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I totally get all your points...its hard these days to convince most customers to upgrade, unless there is super valid reason for it or version they are on is not officially supported any longer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Expect we'll need to see a few Jumbo takes atleast before this status is achieved amongst other metrics. 🙂
https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very good point indeed Chris. I was hoping there was going to be more than 1 jumbo so far, but lets see...maybe soon : - )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you read through the R81.20 release notes you'll see that there were a gargantuan number of new features, in my opinion on par with the R70 release; seems logical it may take a bit longer than normal to get all these new features running optimally. That said, I have been using R81.20 GA in VMWare for my Gateway Performance Optimization class which constantly beats the crap of the gateway VMs and their assigned cores with heavy load tests...and R81.20 has been rock solid. Not one crash or any strange behavior, even with many students doing their best to break things with monstrous traffic and new connection rate loads.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I installed R81.20 hotfix take 8 as well. On my end on a 16200 cluster which is running several VS doing nothing else than accepting identity agent sessions and publishing them using identity broker.
I already made good and bad experiences.
Good: multithreading of pdpd process works 🙂
Bad: already had a pepd core dump 😄
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a procedure to define the recommended release. It is largely based on two statistical data sources: the number of installations on the field and stability indicators.
Only once there is a certain install number showing in the feeds we can be sure that the release can become recommended.
With all the R&D efforts to fix any issue with it, field adoption is one of the key ingredients, and it cannot be rushed. In other words, it is partially up to you, guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I certainly understand the need for a stable release - but the support dates are really hurting our ability to stay compliant without a massive effort from our engineers, consultants and customers in general.
r81.10 goes eol October 2024 - Being in a financial service business staying within supported software is critical.
With summer holidays, december and every month ultimo locked down for change freeze, the number of change windows is quickly shrinking. And with 25 large vsx clusters and some 400 virtual systems the complexity is not low.
That r81.10 is still the recommended release hurts our ability to meet the compliance target, and we already know from history that we will see the same issue since r81.20 is eol in 2026 with next recommended release probably just available a year before.
I really wish Check Point had a better release management cycle, with the recommened release coming day 1 and/or a longer eol date between releases.
/Henrik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you summed all of that up PERFECTLY @Henrik_Noerr1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In general, the best way to deal with this is to do more, smaller upgrades. I currently also work at a financial company with a fair amount of VSX. We upgraded about 50 clusters in about 4 months last year, almost exclusively via CDT in SmartConsole. We've also been using it to install jumbos, though currently at a slower pace than I'd like.
Yes, frequent upgrades and updates are a paperwork headache. I'm pitching it as avoiding issues, since almost every bug we've hit had been patched for months by the time we hit it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I'd like to announce that due to the feedback in this forum we have decided to extend the support of R81.10 to July 2025 which represents full 4 years since its initial release. A formal announcements and update to the product life cycle page will probably take a few more days.
Second, we are in the final stages of QA testing JHF #2 for R81.20 and expect to release it during May. As you many of you are already familiar, we will promote this release to be "recommended" typically several weeks after its release and it is now expected to become "recommended" in June.
With an aim to create more predictability with support periods, I can further share that every future major or minor release will have full 4 years support from its release date.
Aviv
Product Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I give that answer 5 stars review @Aviv_Abramovich 🙌🙌
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Yaron_Weiler just made the following post confirming the above.
https://community.checkpoint.com/t5/General-Topics/R81-10-End-of-Support-extension/m-p/179491#M29926
The lifecycle web page now reflects the change:
https://www.checkpoint.com/support-services/support-life-cycle-policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for confirming Chris. Have a nice Sunday, since I know Saturday is almost over where you are : - )
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, @Aviv_Abramovich
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really positive news from a Jumbo and application life cycle prospective.
One thing, can the 4-year cycle start from the time the version has hit recommended status, rather than when it was first released.
This would be the time most people would start to migrate across to the newer version.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to say, after jumbo take 10 install on R81.20, EVERYTHING seems more stable and faster...dont ask me how, but thats what I see in my lab...so, no complaints : - )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in LAB, all is looking perfectly fine most of the time 😉 You simply cannot replicate everything in LAB compared to real production.
Wondering if Check Point will put the same priority and urgency on all supported versions even newer version will be declared as recommended...
"upgrade to the recommended version" and then all will be fixed, they said.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are definitely correct @JozkoMrkvicka . I will say that it, at least, gives confidence to customer when you tell them lab works fine. I had the situation happen few times that even all worked in the lab, production was a different story...it happems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Aviv,
How is R81.20 tracking to become the recommended release?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Greg_Harbers and all
We plan to release additional jumbo with important fixes during July.
Once the new Jumbo will be declared as recommended for customers already using version R81.20, we will start the process of moving R81.20 to be our recommended version
The new target ETA is August timeframe
Thanks
Matan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome news @MatanYanay . I keep recommending R81.20 for mgmt to everyone, but always say to wait for gateway, until CP officially recommends it.
Cheers,
Andy