This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-01-30 12:56 PM
Jump to solution

Risks of having equipment in EOL.

Hello, team.

A technical question, based on your experiences.

What are the risks of having equipment that is at EOL (End of Life)?

I currently have a state customer, that due to bureaucratic issues, can not for the moment make a technological renovation to their equipment.

The client has Firewalls equipment that are Appliance 12200 model, which according to the Checkpoint portal, are already cataloged as EOL.

Is there a list of considerations that should be taken into account in these cases?

Thank you for your comments.

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-01-30 01:32 PM
Jump to solution

My Top 3:

No new security features (old software)

No blade subscription update contracts

No RMA entitlements/garuntee for hardware failure.

 

Refer also:

https://www.checkpoint.com/support-services/support-life-cycle-policy/

 

 

 

CCSM R77/R80/ELITE

View solution in original post

Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-01-30 05:02 PM
Jump to solution

Just keep in mind that if they don't schedule hardware replacement, the hardware will eventually schedule it for them as a fun surprise.

From a realistic standpoint, if the processors, RAM, and network cards haven't caused problems by now, they probably won't. The fans, spinning drives, and power supplies are the things which become faulty over time. Of those, the drives can be replaced with off-the-shelf units should the need arise. Just pull the old drive out of the rail, slap a new one in, insert it, and probe the SATA endpoints to force the new drive to be recognized.

I would feel fine running old hardware (e.g, to avoid spending money and time on a datacenter being decommissioned) as long as I had some spare fans and power supplies. If you don't have some spares on hand, get some now so you don't have to panic-buy them later after a failure. Save them from other decoms. Find some on eBay. Whatever. Once you have spare parts, test them. Plan a testing window, pull a part out of the standby member of the cluster, and swap in a spare. Make sure it works.

If you're okay taking on the responsibility of dealing with failed hardware, that just leaves the software. The 12k series refuses to install R81 or newer. This is ultimately another reason I can't stand Check Point's branded boxes. I can upgrade a much older IBM x3650 to R81.10 with no problem. Still, R80.40 can get software support for another year (until January 2024).

View solution in original post

0 Kudos
6 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-01-30 01:32 PM
Jump to solution

My Top 3:

No new security features (old software)

No blade subscription update contracts

No RMA entitlements/garuntee for hardware failure.

 

Refer also:

https://www.checkpoint.com/support-services/support-life-cycle-policy/

 

 

 

CCSM R77/R80/ELITE
the_rock
MVP Platinum
MVP Platinum
‎2023-01-30 01:45 PM
Jump to solution

I would say Chris gave all the valid reasons, for sure. To also add to what he said, while appliance might be EOL, if software running on it is supported and the applince itself also has support, then you could technically open case and get TAC assistance. 12200 support had ended June of 2022, so the best case scenarion could be that either customer has valid support on it and case can be opened, or if they dont and they are on R80.40+, then possible your SE can help facilitate getting support.

Either way, Chris gave you perfect response.

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-01-30 05:02 PM
Jump to solution

Just keep in mind that if they don't schedule hardware replacement, the hardware will eventually schedule it for them as a fun surprise.

From a realistic standpoint, if the processors, RAM, and network cards haven't caused problems by now, they probably won't. The fans, spinning drives, and power supplies are the things which become faulty over time. Of those, the drives can be replaced with off-the-shelf units should the need arise. Just pull the old drive out of the rail, slap a new one in, insert it, and probe the SATA endpoints to force the new drive to be recognized.

I would feel fine running old hardware (e.g, to avoid spending money and time on a datacenter being decommissioned) as long as I had some spare fans and power supplies. If you don't have some spares on hand, get some now so you don't have to panic-buy them later after a failure. Save them from other decoms. Find some on eBay. Whatever. Once you have spare parts, test them. Plan a testing window, pull a part out of the standby member of the cluster, and swap in a spare. Make sure it works.

If you're okay taking on the responsibility of dealing with failed hardware, that just leaves the software. The 12k series refuses to install R81 or newer. This is ultimately another reason I can't stand Check Point's branded boxes. I can upgrade a much older IBM x3650 to R81.10 with no problem. Still, R80.40 can get software support for another year (until January 2024).

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-31 05:05 AM
In response to Bob_Zimmerman
Jump to solution

We typically will only support a given Open Server hardware for three years, FYI.
It is also possible to install R81+ on a 12000 series with some mucking about with a config file before FTW runs.
Of course none of these things make these releases officially supported on this hardware.

Regardless, make sure you are working with your Check Point SE on this.
We can extend support on certain EOL hardware/software combinations (albeit with extra cost).

Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-01-31 08:05 AM
In response to PhoneBoy
Jump to solution

My point is mostly that I'm okay supporting the old hardware because I have spares. Now that my remaining x3650 cluster is finally off of R67 (upgraded to R77.30, then R80.40 in the span of about a month last year!), CPUSE will happily let me install new, supported software so any bugs I hit can still be fixed.

It's definitely not a good situation, by any means. That said, having the spare hardware on-hand and being able to get software support means it's not even one of my top ten problems right now.

PhoneBoy
Admin
Admin
‎2023-01-31 07:10 PM
In response to Bob_Zimmerman
Jump to solution

Where the "unsupported" hardware might come into play is when it comes to fixing hardware-specific bugs (like for NIC drivers).
Assuming you don't run into these issues...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events