Thanks Lesley.  Do you know if this behavior was introduced by HF84?  I now need to decide if i want to remove this HF, or apply a currently not recommended HF.

I don't know that sorry. Maybe first check if you match the symptoms before you proceed. Then it is worth thinking about it.

stable?  i'm currently in seasonal lock down starting 10/1.

I can only speak for myself, as have not had any customers install it yet. In the lab, so far, seems super stable.

Andy

fair enough.  i'm thinking of going straight to the gateway with 89 and leaving management at the recommended 84 - thoughts?

100%. In my 17 years dealing with CP, I had NEVER installed jumbo on the mgmt or ever suggested it to any customer. Okay, Im lying...technically, since standalone is considered mgmt (sort of), then I guess I did : - )

Anywho, in distributed environment, I never bother installing jumbo on mgmt, ONLY gateway(s)

Andy

This is not right in my opinion. This is also documented:

https://support.checkpoint.com/results/sk/sk98028

The Jumbo Hotfix Accumulator can be installed either on Security Gateway, or on Security Management Server / Multi-Domain Management Server in the environment.

However, to ensure that all the issues listed for the Jumbo Hotfix Accumulator are resolved, it is strongly recommended that the same Jumbo Hotfix Accumulator is installed on all Security Gateways and Security Management Servers / Multi-Domain Security Management Servers in the environment.

Also not updating management systems you have higher chance of vulnerabilities to be still active.

I don't see a reason not to update.

Personally, I never found any value whatsoever installing jumbo hotfix on management server, but thats just me. But, to keep it consistent, I agree its always good idea to have all the "entities" on the same jumbo.

Andy

I don't agree, there are loads of management fixes in JHF's. Just take a look at the Resolved Issues list and type 'management' in the filter field. There are hundreds of fixes for management/logging/SmartConsole issues (for R81.20 I quickly count about 360 fixes when I filter in the CSV), plus lots of new gateway features that ONLY work when you also update management. In my opinion it is best practise to keep the JHF versions either the same or at least close.

Thats totally fair to keep them at the same level, no argument there. But, take for example Smart-1 instance...every time I called TAC for multiple clients to ask them JHF level, it was always AT LEAST 5 levels less than the gateways and it still worked fine, so I never pressed them to have it updated, as its done by CP anyway, on schedule.

Best,

Andy

If this is a documented issue, the best approach is to follow the relevant SK/TAC, just for information we had to script a daily refresh of PDP/PEP in some implementations where identities would fail randomly, until fixed by some hotfix.

cat $FWDIR/lib/nac_tables.def | grep dynamic | cut -d ' ' -f1 | grep -v idp | awk '{ print ("-t "$0"")}' ORS=" " | awk '{print "fw tab " $0 "-x -y"}' | bash ; fw kill pdpd ; fw kill pepd