- Local User Groups
I don't understand why everyone has problems with R80.10 or R80.20EA. We have migrated many customer installations to R80.10. I have noticed only a few problems here. They were also just minor issues that were quickly fixed with Jumbo Hotfixes. Since some months I find this is a very stable version. I find here many good new functions in the SmartConsole. The migration from R77.30 to R80.10 was also always problem-free. Have the courage to switch to R80.10. It's a great version and I'm awaiting R80.20 GA.
For us, moving from 77.30 to 80.10 was not an in place upgrade.
We elected to stand up a fresh 80.10 environment and move everything to it. The plus side is everything is fresh after 20 years of crust building up. The downside has been the sheer effort of migrating.
In my opinion, Check Point dropped the ball on having customer-available migration tools. In a number of cases we've had to engage LCMS to assist with policies that were simply too large to move by hand. And now Pro Services to assist with VPN migration. Thankfully, in all of those engagements everyone has been great to work with.
As far as stability, 80.10 has been solid on the gateways as well as the management platform.
SmartDashboard still leaves a lot to be desired. It'll just randomly crash out at random times. It's an antiquated and bloated client and it shows.
From a usability standpoint, the GUI is a massive change from 77.30. We brought an engineer on who'd been away from Check Point for awhile. But cut his teeth on 7x.xx series software. He was lost for a couple weeks trying to get his bearings. Once you overcome that shock, 80.10 has been good to work with.
Mhm.. from my point of view, the migration was not so smooth... 2 months of discussions with TAC, then the problems with the new SmartEvent (SR since over a month)... Rule jump and scrolling problem in the SmartConsole... so I hope you understand why I'm not as happy with R80.10 as other people
I also had some problems with the first mirgrations
- Character set for database
- Traditional mode VPN policy's
- SmartConsole problems
But the R&D guys quickly fixed that.
I think since latest General Availability release Take121 R80.10 is very stable and we have now "outgiong take 142":
I have to agree with you.
Yes our R80.10 ea version was installed while it was annonced as GA. It have been running smooth and secure and did not have any issues.
I dont understand either the conservative approach to keep on r77.30 until R80.20 is out. I would say just get started with the upgrade to r80.xx
I would say R80.10 is a very stable and trust full version. No one should be in doubt whether to upgrade or not. Just do it!
I have a setup with about 20 customers running on a R80.10 environment and around 140 in a R77.30 environment, all multi doamain. The only problems we had were with migrations from R77.30 customers to the R80.10 environment, all these issues had to be resolved by R&D, so do not tell me there were no issues with migrations. There were only a few out of the 8 migrations we did (all the rest is new setups on R80.10, that went without any issues, after we ran a script that I got after the first failures to run after every migration after that.
We are planning an inplace migration from R77.30 to R80.20 as we hope that most problems we ran into by then really have been resolved.
Yes, if we facing some problem with 80.10, CP support can be help about these but if the customer a big company such as a Bank, they could not tolerate these problems.
And I have a lot of experience problem about cluster failover with R80.10 while underload 2300 series devices. Of course CP support wants logs from us for solve this problem but the customers have not time for this. Therefore everytime is better old version I thing.
By the vay, I have tested togerher Endpoint and gateways on same 80.20, it looks working fine.
I have one customer that I already try to migrate from R77.30 to R80.10. The same customer use SmartWorkflow but I read that this SmartWorkflow didn't integrated into the R80.10 or R80.20EA. The customer need this features and we can not do the upgrade. Maybe is there some information when and in which version this will be enabled again ? Or is there some other options to do this Workflow things ?
R80.10 solved some performance issue specially when a lot of traffic is on top a VPN tunnel.
Moreover R77.30 with threat emulation on, has a lot of issues. Talking with other check point partners faced the same problem.
You all are familiar with goodies of R80.10, but the cost to have these features might be high. The path to the R80.10 has not been smooth and some very useful R77.30 Multi-Domain server features are not available in R80.10 anymore.
Some missing features
No CMA export anymore! According to the TAC export of a CMA is not supported anymore since R80 and maybe it is going to be implemented in the future. Hello R80.20, do you have this feature? CMA export was a reliable and quick way to have a backup of a CMA and it was possible to migrate CMA data from one MDS to another MDS.
The Cross-CMA search was a really fine tool under R77.30 in GUI and on CLI as well. In R80.10 you are on your own and you might use or create an API script but you could not get results under 10 seconds line in R77.30. 3rd party tools might be needed which fetch periodically info from the MDS and which allow to run local search on top of it's internal database. Tufin costs some $$$.
SmartLog had nice timeline view about frequency of filtered events which R80.10 does not have anymore. In the R77.30 the log and index rotation policy could be tuned in each CMA individually, which again is not possible under R80.10 MDS, all domain are supposed to have the same rotation settings.
Just annoying issues
After a restoration of a backup additional time is needed to build the solr index.
mds_backup might get stuck dumping the DB from time to time.
R77.30 -> R80.10 gradual upgrade scripts still have bugs, admin users in R80.10 MDS might lose their certificates during R77.30 CMA import/upgrade.
The SmartConsole enables anti-spoofing on each interface when fetching interface details without topology. The fix will be available in the future, but hey, how long the R80.10 has been out there?
Management server - it takes all you could throw at it.
The R77.30 Multi-Domain Server performed well on a VM having 64GB RAM and 16 CPU cores, the R80.10 VM has finally got 200GB RAM and 30 CPU cores and still quite often solr indexing must be restarted to get any response to log search queries and overall search response time has grown. It was a quite a struggle to get good recommendations to improve stability and performance of the MDS from TAC. The final recommendation is to spend some money on licenses and set up a dedicated MLM and it is supposed to cure all our performance and stability problems in the management server It seems that R80.10 solr is not capable of handling the same amount of logs the R77.30 did while having almost 2x more CPU cores and 3x RAM. A fat minus to R80.10, need to spend more $$$.
The MDS VM has consumed all the resources several times, resulting at least one hour of downtime each time.
And the main hit of R80.10, the API is still in it's early age, many operations take much more time than using cpmiquery or dbedit, in general the API is just way too slow and needs some internal redesign OR some nice documentation how to make it faster, maybe it would be enough to change stock configuration and provide more resources to the components serving the API.
Feature wise the API has been out more than 2 years, some additional features have been added into version 1.1, but as far as I know there is still no solid way to create clusters only by using the API. I would be thankful if I am wrong and have missed some details in documentation.
Don't get me wrong, the API is very useful, but there is some room for improvements.
There are several sweet features in R80.10 gateway software, some bottlenecks have been solved (big hopes are on the multi core VPN) but again the performance is a concern, at least for now. Maybe it is too early to draw final conclusions but initial impressions about an upgraded HA cluster are not very promising. The firewalls in a pre-prod HA cluster have only trivial FW, VPN blades, SecureXL acceleration stats being over 90% under R80.10, but average worker CPU usage is about 65% in R80.10 and CUL kicks in very often, in R77.30 average worker CPU usage used to be between 25-35% in the vry same environment. Two fold CPU usage rise is high enough to get attention. According to the smokeping the average ping latency used to be about 0.6 ms, after the upgrade it has been almost 2 ms including high latency peaks. We have an ongoing investigation about this performance problem, but at least at first it seems to be a clear warning sign not to rush into R80.10 gateways, maybe in our case it would be better to wait some months and upgrade to R80.20 gateways.
Hi Olavi Lentso, thanks for your very informative feedback. I have checked your point about GW R80.10 performance, and I can see you are working on this issue with TAC. I believe that the guidance you are receiving there should lead to successful resolution of your GW performance situation.
Please let me know when it happens, thanks
We are on the same boat with you minus the R & D!
I prefer stability rather than fully feature stuffs that wobbly as these things are critical system that we manage.
Maarten Sjouw, I am afraid you are mistaken. SmartViewMonitor.exe is still in the proper place. What is missing is the shortcut. SmartUpdate binary is called SmartDistributor now.
So if you want, they are there for you:
Actually the SmartView Monitor can still be brought up directly from the R80+ SmartConsole GUI, usually to examine the state of site to site and remote access VPN tunnels which cannot be performed directly from the R80+ SmartConsole:
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
We are comparing apples and pears here, I was referring to the MDS view of SmartConsole.
The Right-Click menu in all object lists gave us these options.
Yes I can open SV-Monitor/Update and yes it can still be found, buried under 5 layers, but you always need to either have shortcuts ready, remember the IP and login again, or connect to the domain first.
In the R77.30 MDS GUI there are a number of things that make life easier for you when you run this product for 150 different customers, when I need to just access 1 gateway to run an expert command, or I get a incident that the customer has a gateway that is performing very badly, I want to check cpview. When I get a request to add some routes to a cluster I nee to open the WebUI.
In R80.10 I first need to connect to the domain itself and then I can open a SSH window (which is not a preferred SSH client). Same goes for the WebUI (Which does use the default browser).
>> We are comparing apples and pears here, I was referring to the MDS view of SmartConsole
I am glad it came up eventually 🙂 Other than the fact you are unhappy with completely different GUI structure in R80.X, it is not easy to get your point. I fully understand your unhappiness, I was there myself after R80 got released. It takes a bit of a time to appreciate the might of MGMT API.
Concerning the custom commands, did you consider custom scripts?
you can put some frequently used commands (route add / delete | save config) you need to perform on the GW into scripts repository and call them by right-clicking on the GW object in SmartConsole:
Could be a decent alternative
I don't think this will be working on the cloning groups, but again it is still something that will only work from within the domain SmartConsole itself and not from the MDS level.
We are on R80.20 MDS mgmt and R80.10 for gateways. The conversion from R77.30 to R80.10 was extremely painful the inplace upgrade would die.
We ended up do in a Export / Import on a fresh build. This was ok after completion.
Things we found:
1. You needed to convert all VPNs from traditional to simplified before conversion.
2. After you convert you find that legacy VPN settings are brought along in each policy which can impact other features.
The challenge is in R77.30 you had a convert slection to create a new policy in Simplified mode. In R80.10 that doesn't exist and you can't copy between formats.
As explained by others - the cool tools to move policies or CMAs are not complete yet. (R&D are working it but I would expect it not to be GA until R80.40 or later.)
Having said all that - I like R80 version and it will be great once I exercise all the past demons from the old code.