the_rock, So the new basic idea plan would be 1 to make sure the management is on the latest R80.40 JHFA (updating if necessary).  Step 2 would be to make sure all gateway versions are updated to latest HFA (R80.40, R80.10, etc).  and step 3 would be to migrate management to R81.20.  Then gateways following to R81.20 afterwards.

PhoneBoy, If I read what you said correctly, are you implying that there might be a recommended JHFA for R80.40, or R80.10 or lower that would require R81.20 and would break if still on R80.40 management?  That doesn't sound right from everything that I understand so I assume I am misinterpreting what you are saying.

That makes sense to me.

---

@Adam276 wrote:

PhoneBoy, If I read what you said correctly, are you implying that there might be a recommended JHFA for R80.40, or R80.10 or lower that would require R81.20 and would break if still on R80.40 management?  That doesn't sound right from everything that I understand so I assume I am misinterpreting what you are saying.

---

No, he's saying some fixes may require the management have a certain jumbo for the fix to work on the gateway. I know such issues exist, though I don't know of any offhand. I'll make up some numbers. Let's say a fix for a certain issue is included in R80.40 jumbo 200, R81 jumbo 150, R81.10 jumbo 100, and R80.20 jumbo 50. If you take your management from R80.40 jumbo 200 to R81.20 jumbo 40, you could have a regression because the management is now missing that fix.

As for the general case, jumbo version on the firewall doesn't affect whether the management server can manage it. As long as the new management version can manage the firewall's major version (e.g, R81.20 can't manage an R65 firewall), you don't need to care about the firewall's jumbo.

Thanks for the feedback on this everyone.

Bob_Zimmerman, essentially you are saying I should be able to upgrade management to R81.20 even if gateways are on older major versions like R80.10, R80.40 and with older HFAs (assuming older major version is supported by management version of course).  I was worried the 81.20 management might slightly change something that gets sent to the older gateway with a much older HFA and break it if something was changed in what gets sent to the firewalls that an older HFA didn't understand correctly.  I was not sure if Checkpoint tests/QA every HFA going backwards or just a few versions back from recommended on gateways with new management versions.  Thanks for the clarification on the jumbos requiring management have a certain jumbo.  I figured I misinterpreted that part and the way you explained is how I understood it worked.

The_rock,  Is your recommendation more of a best practice (everything should be on recommended) or is it that you have seen issues upgrading management to a new major version (R81.20)? For example when gateways are on older major versions and much older HFAs that required a newer HFA that fixed it?  I am not talking about a pre-existing issue before the management upgrade.  I assume that is how you do upgrades for extra precaution (make sure gateways are updated to recommended first).

All I can tell you is this...what I ALWAYS do is I make sure that I install latest jumbo BEFORE any major upgrade and that seems to work fine.

Best,

Andy