Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lullejd
Contributor

R77.30 Full HA to R80.10/20 upgrade

We have x2 5800 CheckPoint Appliances running R77.30 in standalone HA mode. These appliances are running BGP with different ISPs in our data centre. We need to upgrade the version of these appliances to R80.10/20 due to the out of support of R77.30. Do you suggest we go to R80.20 directly?

I have many concerns such as:


- ISP Redundancy with multiple NATs. Sometimes we notice that on R80.10, ISP redundancy does not work as it should. Some traffic comes from a particular ISP and exits from another ISP.
- Management Performance Issues - Appliances have 16GB RAM. Running management on these devices I think will slow the management. Should we opt for Management split?
- Log indexing / Smart Event Performance
- 4 byte AS Number support for BGP (For R77.30 we had to install a specific hotfix to support 4 byte AS number). On r77.30 without this hotfix, the BGP AS numbers could only be up to 65535. From what I am seeing, this should have been solved on R80.10/20 (BGP 4-Byte AS and Local AS).

Thanks for your feedback in advance.

Senior Information Security Engineer
3 Replies
Danny
Champion Champion
Champion

R77.30 is still supported and will be at least until September 2019. So there is plenty of time preparing and planning the migration.

You are right, as you are running a Security Management, SmartEvent Server, Correlation Unit and Enforcement Gateway all on the same appliance (standalone HA) the performance hit by upgrading to R80.x will be something you'll need to put into consideration. Therefore I suggest to split the management. Either you buy two Smart-1 Appliances for Management-HA or buy a management container and run your new management within a redundant VM environment.

Wether choosing between R80.10 or R80.20 I'd like to forward you to the vendor's recommendation. Check Point writes in sk95746: "R80.20 is initially recommended for customers who are interested in implementing the new features. We will make it the default version after significant adoption. It will then be available in the 'Showing Recommended Packages' section in the CPUSE tab in Gaia portal."

So you could test R80.20 in the first place (remember, you still have many months of time) and if it's working great for you it's perfect. Otherwise use Option B and migrate to R80.10.

Regarding your BGP-4 question, refer to the GAiA Advanced Routing Admin Guide. It's included starting from R80.10.

Martin_Raska
Advisor
Advisor

Correct me If I am wrong but with current ISO R80.20 which is separated for GW and for Mgmt it is not possible to install R80.20 FULL HA setup?

0 Kudos
PhoneBoy
Admin
Admin

The gateway ISO can be used for standalone/Full HA setups.

The management ISO contains the newer Linux kernel (3.10) and cannot be used for gateways.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events