This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Robert_H
Participant
Tuesday
Jump to solution

Recommended HFA branch disappear?

Hello folks,

Maybe a weird question, but I am looking for the recommended HFA to take for all supported versions, starting from R81.20 to R82.10, but only the latest HFA is present. Am I missing something, and will the latest branch be the new recommended?

Thanks

0 Kudos
1 Solution

Accepted Solutions
masher
Employee
Employee
Wednesday
In response to ccsjnw
Jump to solution

I have several customers in the same position where they prefer the "recommended" versus "latest" release. 

sk95746 has more information regarding recommended versus latest takes.  

The "recommended" take can still be found under "Previously released takes". Keep in mind that this release will not cover the recently released CVEs. 

For example:

R81.20 JHF 127 can be found at the following link.

Each JHF has information regarding the release date as well as the recommended date. 

firefox_ZICuy6FF6w.png

 

 

View solution in original post

(1)
8 Replies
Martijn
MVP Silver
MVP Silver
Tuesday
Jump to solution

Hi,

Check this article:

sk174185 - Download Archive of Recommended Jumbo Hotfix Accumulator Takes

Regards,
Martijn

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Wednesday
Jump to solution

The previous recommended takes are not highlighted as recommended as they don't include the recent roundup of CVEs patched in the latest takes. Once we have seen the latest takes have significant install sizes without issues they will become recommended.

0 Kudos
ccsjnw
Collaborator
Wednesday
In response to emmap
Jump to solution

This is really confusing.... Check Point shouldn't make poor decisions like this without thoroughly thinking about the consequences (intended or otherwise).

People who work in a highly compliance / regulated environment frequently have a policy where they will only install "Recommended" versions. You risk organisations uninstalling their current Take and going back to the GA release which I'm sure is not your intention. 

Whatever was the Recommended Take, should stay the Recommended Take until the replacement is ready and available (and fully tested!).

masher
Employee
Employee
Wednesday
In response to ccsjnw
Jump to solution

I have several customers in the same position where they prefer the "recommended" versus "latest" release. 

sk95746 has more information regarding recommended versus latest takes.  

The "recommended" take can still be found under "Previously released takes". Keep in mind that this release will not cover the recently released CVEs. 

For example:

R81.20 JHF 127 can be found at the following link.

Each JHF has information regarding the release date as well as the recommended date. 

firefox_ZICuy6FF6w.png

 

 

(1)
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to ccsjnw
Jump to solution

Normally, the most recent Recommended is listed, but this is a case of a Recommended JHF being "revoked" for one reason or another.  I've seen it happen before.  In this case, it looks like the reason is what @emmap said; looks like the recent pile of CVEs are more important.  You'll see Recommended come back again soon.  Then at some point in the future, you'll see a repeat of this same scenario when some other extenuating circumstance occurs.

Imagine from Check Point's perspective, tho:  "I installed the most recent Recommended but now my vulnerability scanning service says I'm vulnerable to all these CVEs! I thought I had all the updates!"  ...well, you did... until things changed.  Now you're not.

They didn't completely rescind the last recommended JHF either, as you found.  If you install that, tho, now that time has passed since that JHF, you need to be aware of the forward risk.  There are CVEs now published which have been patched in the new JHF candidate.  You have a decision to make:  Install the new candidate, or ask TAC to get you portfixes for those CRs for your current JHF.  It's up to you; you have options.  Pick the one that's best for you.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
genisis__
MVP Silver
MVP Silver
yesterday
Jump to solution

I've noticed the same for R82 the recommended release a few days back was JHFA91, now JHFA is the only thing listed, but its not listed as recommended release.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to genisis__
Jump to solution

Yeah, they did it for all of them.  Looks like the CVEs are the reason this time.  Phoneboy had another post about the recent Frontier AI model work (I'm guessing they got Mythos) finding issues in their code, so they proactively release CVEs and hotfixes for those issues.  I'm sure they have individual hotfixes and portfixes available if one were to open a TAC case and ask.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
PhoneBoy
Admin
Admin
5 hours ago
In response to Duane_Toler
Jump to solution

These CVEs were found using our own internally-developed AI-driven tools.
More here: https://blog.checkpoint.com/security/check-point-frontier-ai-models-readiness-program-security-updat... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events