This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Contributor
‎2025-06-28 03:41 AM

Installation order JHF

So while i was away from work for 2 weeks, someone patched our firewall cluster (R81.10) with the latest JHF without installing this JHF on the SMS server.

How bad is this in regards to which inconsistency or issues that can happen? 

Can i just continue to install the JHF on the SMS without risk, or do i need to take some things into account?

 

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
‎2025-06-28 06:18 AM

Whilst not recommended it should be fine for JHFs in most scenarios. 

CCSM R77/R80/ELITE
0 Kudos
(1)
Dave
Contributor
‎2025-06-28 07:34 AM
In response to Chris_Atkinson

Hi Chris,

Thanks for letting know, but i wonder what the potential downside of this scenario could be.

Can you maybe explain a little bit?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-06-28 07:48 AM
In response to Dave

Would depend on the inclusions in a particular JHF but I wouldn't make a habit of doing it in this order, especially if the difference in JHF level is significant.

More generally it likely comes down to compatibility testing, mandating the order somewhat limits the amount of testing needed and hence reduces the potential for issues if that order is adhered to logically.

CCSM R77/R80/ELITE
0 Kudos
Lesley
Authority Authority
Authority
‎2025-06-28 01:21 PM

What take is on the SMS? I always make them the same version. Sometimes there are few days in between and never got an issue. Maybe if you have a plain R81.20 without jumbo it could cause an issue if you upgrade only gateways.

On otherhand I know some people never update SMS and only fw (what I don't recommend).

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-06-28 03:13 PM

While all members of a cluster should run the same jumbo (except when you're actively updating the cluster), there's no real dependency between jumbo on the management and jumbo on the firewalls. I've even had some managements stuck at R81.10 with firewalls at R81.20 for a few years. This is a supported configuration.

Chris_Atkinson
Employee Employee
Employee
‎2025-06-28 04:33 PM
In response to Bob_Zimmerman

Supported for/between select major versions as documented and with limitations like not being able to use features of the newer version.

CCSM R77/R80/ELITE
0 Kudos
Tomer_Noy
Employee
Employee
‎2025-06-28 11:35 PM

It's perfectly fine to install a JHF on a gateway before the Management. There is no dependency, unless one is specifically stated for using a specific feature.

Often, customers might install a JHF on a specific gateway to resolve some issue, and it's not mandatory to install that JHF on the Management.

We do recommend to install JHFs regularly on the Management to get periodic important fixes, but that's unrelated to the JHF on the gateway.

The below post is from a while back, but explains things pretty well:
https://community.checkpoint.com/t5/Management/Management-JHF-Did-You-Know/m-p/56880 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events