- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Minimum HFA versions for older gateways when u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Minimum HFA versions for older gateways when upgrading management to r81.20
Is there a minimum HFA required for older gateways when moving management from R80.40 to R81.20 management? In the past I haven't had any problems where if the gateways were working, an upgrade of management didn't break the firewalls (assuming major versions are listed as compatible with new Management version of course). Is there a known breaking compatibility with certain older gateway versions (whatever is compatible with R81.20 management like R80.40, R80.10, etc) with older HFAs when moving to new management version?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would make sure its at least on recommended jumbo.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some fixes in gateway JHF require management side fixes, so you may need to review the fixed issues in the R81.20 JHF to make sure they match up.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_rock, So the new basic idea plan would be 1 to make sure the management is on the latest R80.40 JHFA (updating if necessary). Step 2 would be to make sure all gateway versions are updated to latest HFA (R80.40, R80.10, etc). and step 3 would be to migrate management to R81.20. Then gateways following to R81.20 afterwards.
PhoneBoy, If I read what you said correctly, are you implying that there might be a recommended JHFA for R80.40, or R80.10 or lower that would require R81.20 and would break if still on R80.40 management? That doesn't sound right from everything that I understand so I assume I am misinterpreting what you are saying.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That makes sense to me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Adam276 wrote:PhoneBoy, If I read what you said correctly, are you implying that there might be a recommended JHFA for R80.40, or R80.10 or lower that would require R81.20 and would break if still on R80.40 management? That doesn't sound right from everything that I understand so I assume I am misinterpreting what you are saying.
No, he's saying some fixes may require the management have a certain jumbo for the fix to work on the gateway. I know such issues exist, though I don't know of any offhand. I'll make up some numbers. Let's say a fix for a certain issue is included in R80.40 jumbo 200, R81 jumbo 150, R81.10 jumbo 100, and R80.20 jumbo 50. If you take your management from R80.40 jumbo 200 to R81.20 jumbo 40, you could have a regression because the management is now missing that fix.
As for the general case, jumbo version on the firewall doesn't affect whether the management server can manage it. As long as the new management version can manage the firewall's major version (e.g, R81.20 can't manage an R65 firewall), you don't need to care about the firewall's jumbo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the feedback on this everyone.
Bob_Zimmerman, essentially you are saying I should be able to upgrade management to R81.20 even if gateways are on older major versions like R80.10, R80.40 and with older HFAs (assuming older major version is supported by management version of course). I was worried the 81.20 management might slightly change something that gets sent to the older gateway with a much older HFA and break it if something was changed in what gets sent to the firewalls that an older HFA didn't understand correctly. I was not sure if Checkpoint tests/QA every HFA going backwards or just a few versions back from recommended on gateways with new management versions. Thanks for the clarification on the jumbos requiring management have a certain jumbo. I figured I misinterpreted that part and the way you explained is how I understood it worked.
The_rock, Is your recommendation more of a best practice (everything should be on recommended) or is it that you have seen issues upgrading management to a new major version (R81.20)? For example when gateways are on older major versions and much older HFAs that required a newer HFA that fixed it? I am not talking about a pre-existing issue before the management upgrade. I assume that is how you do upgrades for extra precaution (make sure gateways are updated to recommended first).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All I can tell you is this...what I ALWAYS do is I make sure that I install latest jumbo BEFORE any major upgrade and that seems to work fine.
Best,
Andy