Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Advisor
Jump to solution

R81.20 not "recommended" yet

As the title says, just wondering when...   Released 5 months ago, seems a bit longer to move to recommended than past releases.  Maybe i'm just too geeked up to get going with it. 

Any ETA on the recommended blessing?

 

 TIA

 

0 Kudos
(1)
1 Solution

Accepted Solutions
Aviv_Abramovich
Employee
Employee

First, I'd like to announce that due to the feedback in this forum we have decided to extend the support of R81.10 to July 2025 which represents full 4 years since its initial release. A formal announcements and update to the product life cycle page will probably take a few more days.

Second, we are in the final stages of QA testing JHF #2 for R81.20 and expect to release it during May. As you many of you are already familiar, we will promote this release to be "recommended" typically several weeks after its release and it is now expected to become "recommended" in June.

With an aim to create more predictability with support periods, I can further share that every future major or minor release will have full 4 years support from its release date. 

 

Aviv

Product Management

View solution in original post

(2)
38 Replies
the_rock
Legend
Legend

Personally and this is just my HONEST opinion, I would 100% install it on management server. On the gateway, nope...I would wait at least another few months. From all the tests I had done in the lab, management seems to perform well, but firewall is another story. Not saying its bad, but as far as Im concerned, not worth the upgrade yet.

Andy

genisis__
Leader Leader
Leader

Totally agree!

I would wait, realistically for at least another two JHFA's to be released, which I suspect takes you up to the end of this year (estimated).

Additionally I would wait even longer to deploy on VSX unless you have a UIT/SIT setup where you can thoroughly test your specific services through.

the_rock
Legend
Legend

Here are my 2 biggest issues with R81.20 on the gateway from all the testing done in my lab. Again, just speaking for myself, maybe others have different experience.

1) Https inspection is very inconsistent, to put it nicely : - ). What I mean by that stement is following...say you block gambling category, k great, you go to olg.ca, gets blocked, fantastic. Then, 5 mins later, you refresh the page, same browser (mozilla), page is all "scrambled" and NOT blocked. You do same in Edge or chrome, works fine no matter how many times you refresh. Come back say 1 hour later, its the other way around, and even if I reset the browser, may work for 5-10 mins and again same problem. This NEVER used to happen back in R81.10 lab I had inspection on. By the way, its totally unrelated to my windows PC I tested with, as windows fw is disabled and I even tested brand new windows machine, exact same problem

2) Autonomous threat prevention is not working right at all. I had email chain last year with few people in R&D who told me that reason for why this was the issue back in R81.10 was amount of ram (I was very suspicious of that logic even back then), so to prove my point, I "slapped" on 32 GB of ram on R81.20 gw as they suggested, exact same problem...causes gw to "get stuck" when autonomous threat prevention is on, policy push is super inconsistent, but as soon as I disable this feature and go to having say only ips blade on, no issues even with 16 GB of ram installed.

But, in all fairness, other than these 2 issues, everything else seems fine, so who knows, maybe things get better with next jumbo, I have no idea...will have to wait and see 😇

0 Kudos
shaig
Employee
Employee

Hey,

I would happy to check your issues regarding HTTPSi and blocking experience. Let's take it offline. 

0 Kudos
the_rock
Legend
Legend

Well, funny enough, I spun up another VM on R81.20 with EXACT same things enabled like initial one (same mgmt server) and not https inspection works fine. How, dont ask me, as it makes no logical sense whatsoever, but I will take it, seems very consistent now : - )

0 Kudos
yaird
Employee
Employee

Hi,

First, Thanks for your feedback.
in continuing our offline communication, I would like to better understand the Autonomous Threat Prevention issue. 

I will be glad we have a conversation about what you have seen. If you have a reproduction it would be great as well.

Thanks,

Yair Danieli

0 Kudos
the_rock
Legend
Legend

Hey @yaird 

I cant sadly replicate this at the moment, because physical appliance I tested this on before is not available any longer.

0 Kudos
RamGuy239
Advisor
Advisor

I've had no issues with R81.20 for management installations (Management, HA management, Smart Event and Log). Have been facing some issues where Log View in Smart Console is complaining about logs either being moved or corrupted. But I managed to fix this by running evstop, removing all indexing data, evstart to re-build all indexes and thus far the issue has not re-appeared. This has happened to me on two different R81.20 environments. But that is pretty much it. They are all running R81.20 + JHF Take 8.

On gateways on the other hand I've been facing far more issues. I wouldn't really recommended R81.20 for gateways unless you really want some of the new features. But customers love Network Feeds, and for good reason. It makes life so much easier when you can just toss well-known blacklists, vendor recommended whitelists and whatnot directly into your access policy. It also allows for network admins not familiar with Check Point to administer a server with lists for both whitelisting and blacklisting, just modify whatever txt or json you have on the server and the policy on the firewall will adopt it. IOC Feeds have allowed similar capabilities, but the procedure and compatibility is vastly superior with R81.20 and Network Feeds.

 

The one thing that strikes me as really odd with R81.20 is the lack of JHF's available. GA since November, and all we have thus far is a "latest", aka on-going JHF and that's it. I normally work with customers that are "early adopters", not EA customers, they don't work with yet-to-release BETA versions, but they are quite agile and often move to new versions before they become "widely recommended". R81.20 has to be the release with the slowest rollout of JHF's out of all R8X.XX releases? 5 months and just a single JHF which is not even recommended?

One could argue this might be because R81.20 is having very few issues. But then it comes off as quite odd for it not getting "recommended" status by now. And considering the amount of JHF's we've gotten for R80.40, R81 and R81.10 in the past 5 months, and how much of the code and daemons that are shared between versions I have a hard time believing that R81.20 isn't going to get a lot of the same changes. Once the next R81.20 JHF drops I'd bet the change-log is going to show a lot of similar changes as the past few JHFs for R81.10.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
(2)
the_rock
Legend
Legend

I totally get all your points...its hard these days to convince most customers to upgrade, unless there is super valid reason for it or version they are on is not officially supported any longer.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Expect we'll need to see a few Jumbo takes atleast before this status is achieved amongst other metrics. 🙂

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Very good point indeed Chris. I was hoping there was going to be more than 1 jumbo so far, but lets see...maybe soon : - )

0 Kudos
Timothy_Hall
Legend Legend
Legend

If you read through the R81.20 release notes you'll see that there were a gargantuan number of new features, in my opinion on par with the R70 release; seems logical it may take a bit longer than normal to get all these new features running optimally.  That said, I have been using R81.20 GA in VMWare for my Gateway Performance Optimization class which constantly beats the crap of the gateway VMs and their assigned cores with heavy load tests...and R81.20 has been rock solid.  Not one crash or any strange behavior, even with many students doing their best to break things with monstrous traffic and new connection rate loads.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vincent_Bacher
Advisor
Advisor

I installed R81.20 hotfix take 8 as well. On my end on a 16200 cluster which is running several VS doing nothing else than accepting identity agent sessions and publishing them using identity broker.
I already made good and bad experiences. 
Good: multithreading of pdpd process works 🙂
Bad: already had a pepd core dump 😄

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
_Val_
Admin
Admin

We have a procedure to define the recommended release. It is largely based on two statistical data sources: the number of installations on the field and stability indicators.

Only once there is a certain install number showing in the feeds we can be sure that the release can become recommended.

With all the R&D efforts to fix any issue with it, field adoption is one of the key ingredients, and it cannot be rushed. In other words, it is partially up to you, guys. 


Henrik_Noerr1
Advisor

I certainly understand the need for a stable release - but the support dates are really hurting our ability to stay compliant without a massive effort from our engineers, consultants and customers in general.

r81.10 goes eol October 2024 - Being in a financial service business staying within supported software is critical.

With summer holidays, december and every month ultimo locked down for change freeze, the number of change windows is quickly shrinking. And with 25 large vsx clusters and some 400 virtual systems the complexity is not low.

That r81.10 is still the recommended release hurts our ability to meet the compliance target, and we already know from history that we will see the same issue since r81.20 is eol in 2026 with next recommended release probably just available a year before.

I really wish Check Point had a better release management cycle, with the recommened release coming day 1 and/or a longer eol date between releases.

 

/Henrik

(1)
the_rock
Legend
Legend

I think you summed all of that up PERFECTLY @Henrik_Noerr1 

0 Kudos
Bob_Zimmerman
Authority
Authority

In general, the best way to deal with this is to do more, smaller upgrades. I currently also work at a financial company with a fair amount of VSX. We upgraded about 50 clusters in about 4 months last year, almost exclusively via CDT in SmartConsole. We've also been using it to install jumbos, though currently at a slower pace than I'd like.

Yes, frequent upgrades and updates are a paperwork headache. I'm pitching it as avoiding issues, since almost every bug we've hit had been patched for months by the time we hit it.

0 Kudos
Aviv_Abramovich
Employee
Employee

First, I'd like to announce that due to the feedback in this forum we have decided to extend the support of R81.10 to July 2025 which represents full 4 years since its initial release. A formal announcements and update to the product life cycle page will probably take a few more days.

Second, we are in the final stages of QA testing JHF #2 for R81.20 and expect to release it during May. As you many of you are already familiar, we will promote this release to be "recommended" typically several weeks after its release and it is now expected to become "recommended" in June.

With an aim to create more predictability with support periods, I can further share that every future major or minor release will have full 4 years support from its release date. 

 

Aviv

Product Management

(2)
the_rock
Legend
Legend

I give that answer 5 stars review @Aviv_Abramovich 🙌🙌

0 Kudos
Chris_Atkinson
Employee Employee
Employee

@Yaron_Weiler just made the following post confirming the above.

https://community.checkpoint.com/t5/General-Topics/R81-10-End-of-Support-extension/m-p/179491#M29926

The lifecycle web page now reflects the change:

https://www.checkpoint.com/support-services/support-life-cycle-policy

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Thanks for confirming Chris. Have a nice Sunday, since I know Saturday is almost over where you are : - )

Andy

_Val_
Admin
Admin

Thanks a lot, @Aviv_Abramovich 

0 Kudos
genisis__
Leader Leader
Leader

Really positive news from a Jumbo and application life cycle prospective.   

One thing, can the 4-year cycle start from the time the version has hit recommended status, rather than when it was first released. 
This would be the time most people would start to migrate across to the newer version.

the_rock
Legend
Legend

I have to say, after jumbo take 10 install on R81.20, EVERYTHING seems more stable and faster...dont ask me how, but thats what I see in my lab...so, no complaints : - )

0 Kudos
JozkoMrkvicka
Mentor
Mentor

in LAB, all is looking perfectly fine most of the time 😉 You simply cannot replicate everything in LAB compared to real production.

Wondering if Check Point will put the same priority and urgency on all supported versions even newer version will be declared as recommended...

"upgrade to the recommended version" and then all will be fixed, they said.

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend

You are definitely correct @JozkoMrkvicka . I will say that it, at least, gives confidence to customer when you tell them lab works fine. I had the situation happen few times that even all worked in the lab, production was a different story...it happems.

Greg_Harbers
Collaborator

Hi Aviv,

How is R81.20 tracking to become the recommended release? 
Thanks

0 Kudos
MatanYanay
Employee
Employee

Hello @Greg_Harbers and all 

We plan to release additional jumbo with important fixes during July.

Once the new Jumbo will be declared as recommended for customers already using version R81.20, we will start the process of moving R81.20 to be our recommended version 

The new target ETA is August timeframe  

Thanks 

Matan.

the_rock
Legend
Legend

Awesome news @MatanYanay . I keep recommending R81.20 for mgmt to everyone, but always say to wait for gateway, until CP officially recommends it.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events