Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eran_Habad
Employee
Employee

*** NEW in R81: Accelerated Access Install Policy ***

All,

We're anxious to share with you an exciting new feature in R81 that already shows exceptional results among our EA customers: Accelerated Access Install Policy.

UPDATE: Join a live demo of the Accelerated Access Install Policy as part of "Delivering Security Consolidation Across the Enterprise" webinar at 28 Oct 2020. Register here

The policy installation is accelerated depending on the changes that were made to the Access Control policy since the last installation.

The new accelerated flow optimizes common use-cases and drastically speeds up the installation with up to 90% improvement as shown already in production of EA customers. When the policy installation is accelerated, the icon icon-0 (1).jpg will appear under the "Install Policy Acceleration" column. For example:

Acceleration.jpg

We strongly invite everyone to try out the Accelerated Access Install Policy in R81!

The feature is the outcome of a significant team effort and deep collaboration between the Gateway R&D team (led by @Meital_Natanson) and the Management R&D team (which I lead) and our excellent QA teams (led by @IrinaAstanovsky and @Ilya_Yusupov).

To learn more about Accelerated Policy Installation refer to: http://downloads.checkpoint.com/dc/download.htm?ID=108670 (or see PDF attached).

For further information, feel free to post your question here or to reach our privately to me or @Meital_Natanson.

Regards,

Eran and Meital

19 Replies
Danny
Champion
Champion

Thanks for further improving policy installation time. We all remember Check Points efforts on this topic in R80.10 as well as in R80.20 as documented here.

Your screen shot shows that Access Control and Threat Prevention Policy are installed together. We've been recently told by Check Point support that in order to avoid any issues these should not be installed together. What about this in R81?

0 Kudos
PhoneBoy
Admin
Admin

The only issue I'm aware of is the very first Access Policy installation, namely Threat Prevention cannot be installed until an Access Policy has been installed.
Are there others?

0 Kudos
Eran_Habad
Employee
Employee

There is no such limitation/guideline, in R80.x you can trigger installation of several blades at the same time. If such advice was given by TAC under specific circumstances it might be related to specific issue. Let's discuss it offline.

By the way, this is the place to also share that in R81 we added for the first time the ability to run several policy installations at the same time - which wasn't possible in R80.x:

concurrent.jpg

 

Mark_Gurevich
Contributor

Very Welcomed solution, to successfully deal with the competitors where only the delta changes are pushed which makes policy push fast

0 Kudos
Eran_Habad
Employee
Employee

Indeed @Mark_Gurevich, the new Accelerated Policy installation relies heavily on the "delta", we do major parts of the flow based on the changes that were made since last installation (some parts still use the entire policy). On the Management side, we also do some of the work as part of the Publish operation rather than waiting for the installation itself. For those reasons (and other) - the new flow is much faster.

0 Kudos
Sven_Glock
Advisor

Hi Eran,
I love to hear that news! Accelerated Policy installation and multiple synchronous policy installations are outstanding features we are waiting for.
But I found a point in the admin guide that made my heart bleeding: Limitation: Maestro.

Why? Will it be possible with later releases?

Thanks in advance.
Regards
Sven

PhoneBoy
Admin
Admin

Certain gateway types require a different policy compilation/installation process.
My guess is that those processes haven’t been updated with the accelerated policy install framework yet.
Hopefully it’s something we’ll address in later releases.

Eran_Habad
Employee
Employee

Hi @Sven_Glock, excellent question 😀

Indeed that's something we want and plan to do soon, we will update when we have good news.

George_Casper
Contributor

Does the acceleration apply to customers who use connection rematch during policy install?   

PhoneBoy
Admin
Admin

Don’t believe so as it doesn’t materially affect policy compilation at all.

Luis_Miguel_Mig
Advisor

I was wondering if there are numbers about how much faster is the accelerated policy installation. 
Let's say for example a policy-package of 500 rules and a change of 5 new objects or something like that.

0 Kudos
PhoneBoy
Admin
Admin

When the Accelerated Policy installation applies, it should be under a minute.
It has more to do with the types of changes being made versus the number of them.

0 Kudos
Eran_Habad
Employee
Employee

I can share that based on diagnostic data we have, in most cases the acceleration reduces the installation significantly under 1 minutes, for many customers it takes seconds end to end 😀

I can't provide exact estimation for a specific policy because there are many parameters that might influence, but I do expect to see improvement of dozens of % in compare to "normal" installations which aren't accelerated.

@Luis_Miguel_Mig how much time does it take you to install the policy today?

0 Kudos
Gaurav_Pandya
Advisor

I have upgraded both management and gateway to R81. But i dont see the symbol of acceleration during policy install.

 

So is it automatic or we need to enable something?

 

0 Kudos
Eran_Habad
Employee
Employee

Hi @Gaurav_Pandya,

The acceleration is automatic (nothing should enabled manually), but in some cases the installation cannot be accelerated. For more info see: http://downloads.checkpoint.com/dc/download.htm?ID=108670 (look for "Cases in which Install Policy will not be accelerated").

If you "hover" the icon of the download arrow (under Install Policy Acceleration column - see below) you'll see why the acceleration wasn't enabled. 

Eran_Habad_0-1629707969060.jpeg

 

0 Kudos
Gaurav_Pandya
Advisor

Ok. Got it

Thanks.

0 Kudos
the_rock
Champion
Champion

Hi Eran,

 

I know this is a bit older post, but just to be 100% sure, is this ONLY applicable if both mgmt and gateways are on R81?

0 Kudos
PhoneBoy
Admin
Admin

Gateways and management must be on R81 or above, yes.

the_rock
Champion
Champion

Thank you D! Im glad you confirmed, because I was under impression it was applicable if using R81 mgmt and R80.40 gateways.

0 Kudos