Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eran_Habad
Employee
Employee
Jump to solution

Management JHF - Did You Know?

Hi everyone,

My name is @Eran_Habad and I’m a manager in Check Point’s R&D. My group is responsible for the core I/S and APIs of the Management Server.

Following several recent conversations with customers, I would like to provide some information and shatter few myths regarding the JHF of the Management:

  1. A new take of the JHF is usually released every few weeks (ideally) with a list of fixes that can be seen in the JHF SK according to the relevant version: R80.10, R80.20, R80.30, R80.40.
  2. Every new JHF take is first released as Ongoing for early adoption, and later becomes recommended for General Availability. You can find all information in the JHF SK.
  3. You can install a new JHF on the Management Server regardless of the Gateway. There’s no requirement to align the Management and Gateway to use the same JHF take.
  4. However, we do require all Management machines to have the same JHF take.
  5. There is a JHF package for the SmartConsole as well, yet there’s no dependency between the Management Server and the SmartConole. You can use a different take of the JHF for each.
  6. Installing a JHF is not a Management upgrade! The installation of a JHF on the Management is simple, doesn’t perform any changes in DB and is only replacing specific binaries with new fixes.
  7. We strongly recommend that our customers install the latest recommended GA JHF on a regular basis, even without the need for a specific fix. The reason is that the JHF accumulates fixes for known issues that could be prevented upfront if installed.

 

I’m also tagging @Tomer_Noy, R&D Director of Management Products and @Miri_Ofir, R&D Group Manager responsible for Customer Success & CFG.

All of us would be happy to answer any further questions regarding the Management JHF and to get ideas for improving the JHF adoption and installation.

Regards, Eran

1 Solution

Accepted Solutions
Tomer_Noy
Employee
Employee

The gateways / clusters can be updated to a new JHF gradually without any dependency on updating the Management / MDS.

You can have gateways / clusters with different JHF builds between different domains, and even within the same domain.
You can have different JHF builds for the gateways and for the Management.

The comment about having the same JHF is only for the Management MDS & MLM machines. If you have multiple MDM servers, you need to have the same JHF build on them.

I hope this clarifies things.

View solution in original post

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
Good information the community can use.
Garrett_DirSec
Advisor

Hello -- Great information.  sincere thanks for the post.   Note:  we in region exclusively use term "HFA" vs "JHA". 

topics... 

  1.  curious why individual hot fixes block installation of JHA and/or require a specific JHA release to be installed?
  2. Do you foresee a future when hotfix blocks/etc go away (with micro services architecture, etc)?
  3. when is JHA release #1 going to be available for R80.30? Honestly, this is the litmus test we use when recommending a new platform release to customers.

Thanks -GA

 

PhoneBoy
Admin
Admin
  1. A JHF and individual hotfixes can touch the same files. Before fixes can be integrated into a JHF, they have to meet certain criteria. Likewise, some fixes are on top of fixes applied in a JHF, thus there are dependencies.
  2. I suspect this is something that will be addressed longer-term, but don't know the specifics.
  3. The first Ongoing JHF for R80.30 was released yesterday. See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Vladimir
Champion
Champion

Great info! Thank you for sharing.

Please answer this: If I recall correctly, some of the Ongoing JHFAs are required to be uninstalled before the next version is installed. Why not include removal of the intermediate Ongoing JHFA in to the installation logic of the next one?

Regards,

Vladimir

Tomer_Noy
Employee
Employee

Note that there were some recent improvements in the CPUSE DA JHF installation.

In the past, installing a new JHF involved uninstalling the current JHF in the background. This had several drawbacks such as extra time to perform the uninstall and potentially going back to the vanilla GA if the new JHF failed to install.

Another drawback was that if you installed an private / specific HF that depended on a certain JHF build, we couldn't uninstall the existing JHF in order to install the new one. That was the case even if the private HF fix was included in the next JHF. The customer still had to manually uninstall the private HF to allow the JHF installation to proceed.

In the new mechanism, the next JHF is installed on top of the existing JHF without uninstalling it. This means that if a private HF fix is included in the next JHF, you don't need to uninstall it manually anymore. We will recognize the situation and let you proceed. Also, uninstalling a JHF will bring you back to the JHF you had before, instead of to the clean vanilla state.

This was great work by @Tsahi_Etziony and @Lior_Manor .

The DA is auto-updatable, so everyone should get it automatically (assuming they didn't turn off the auto-update).

Vladimir
Champion
Champion

Hi Tomer and thank you for this info.

These are welcome changes indeed. I have noticed the DA becoming Auto Updatable or giving us the opportunity to do so from Web UI manually.

As to compatibility with custom or private HFs, this seems to be a work in progress. As per sk113410:

"Future Jumbo takes might include content that will conflict with this Hotfix. Installing such a Jumbo take on a system with this hotfix, will fail with an appropriate error. In such a case, please contact Check Point Support."

0 Kudos
MVS_VF
Participant

Hello Eran,

Thank you for the very clear and informative post.

In my environment I have Multi-Domain Server with R81.20 Jumbo Hotfix Take 41 and so are my firewalls exactly on same version. I have to upgrade Firewalls at least to Jumbo Hotfix Take 65. Good if can go ahead with individual Open Servers one by one but not at once "since you had mentioned above in point 4 - all Management machines to have the same JHF take".

With respect to point no 4 and my organizations Checkpoint environment(pics attached). I have MDS and have around 10 domains in it. But we also have individual Domain Management Servers(Open Sever) in each Domain apart from Gateway and twin Cluster members(2nd Pic).

Now my question is with respect to point 4 - Can I target individual domains ''one by one" and update HF of cluster members and its individual Domain Management Servers(Open Sever) in each Domains to Take 65 ?

And not ALL Management Servers in one go as, the 4th point states that all management machine need to be on same JHF take?

MDS with multiple Domains1.png

CP Multi-Domain Server with Firewall Cluster.PNG

Thanks

MVS 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Do you know that you have posted a reply to a post that is 5 years old ? Did you expect any answer ?

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tomer_Noy
Employee
Employee

Both @Eran_Habad and myself are still in Check Point 😀
(different positions though)

So it's fine, and we'll be happy to answer.

Tomer_Noy
Employee
Employee

The gateways / clusters can be updated to a new JHF gradually without any dependency on updating the Management / MDS.

You can have gateways / clusters with different JHF builds between different domains, and even within the same domain.
You can have different JHF builds for the gateways and for the Management.

The comment about having the same JHF is only for the Management MDS & MLM machines. If you have multiple MDM servers, you need to have the same JHF build on them.

I hope this clarifies things.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events