Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Juergen_Meier
Explorer

Upgrade R77.30 gateway with NAT, PBR and DHCP relaying?

We have a R77.30 gateway cluster (two 4600 appliances).

Although we try to get rid of the legacy, the system still has to perform Policy based routing with NAT, DHCP Relaying (using the new relay service) with Mobile Access, URL Filtering and Antivirus blades (no SSL inspection).

The 4600 appliance has only 4 GB of RAM and is not upgradable.

SmartCenter is a dedicated system that will be upgraded to R80.10 regardless of this cluster (in order to manage other R80.10 firewalls)

Any thoughts on upgrading this Cluster to R80.10?

I am concerned about PBR and NAT and the DHCP relaying (the cluster acts as a DHCP relay).

Should we invest the time and efforts to remove these from the cluster prior to upgrade? or will R80.10 handle these without problems?

Or should we keep it at R77.30 until the platform can be renewed (at least 1 year to go)?

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

All the features you mentioned work just fine on R80.10.  In fact R80.10 actually uses the available RAM more efficiently than R77.30 for certain gateway features as specified here:  sk120131: Memory utilization in R80.10 Security Gateway / StandAlone

You will probably be just fine going to R80.10 on your 4600 gateways, however please provide output of the following to show how that 4GB is being used:

free -m

enabled_blades

fwaccel stat

Without seeing the above results, if you are looking to replace the gateway in under a year anyway and R77.30 is doing the job for you, I'd probably go ahead and upgrade management to R80.10 for the many benefits, yet leave those particular gateways at R77.30 for now unless there is some new gateway feature of R80.10 you need.  R77.30 is supported until May 2019 so there is no hurry.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Juergen_Meier
Explorer

Hi, and thanks for the response.

The output of the commands:

[Expert@fw01:0]# free -m
total used free shared buffers cached
Mem: 3948 3602 346 0 322 1122
-/+ buffers/cache: 2157 1790
Swap: 10268 0 10268
[Expert@fw01:0]# enabled_blades
fw vpn urlf av appi anti_bot
[Expert@fw01:0]# fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #28
Drop Templates : disabled
NAT Templates : disabled by user

Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, Nac,
ViolationStats, AsychronicNotif, ERDOS,
NAT64, GTPAcceleration, SCTPAcceleration,
McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
[Expert@fw01:0]#

0 Kudos
Timothy_Hall
Champion
Champion

Memory allocation looks fine, it is using about half the RAM in the box with plenty free.  Might be nice to optimize your rulebase to permit templating beyond rule #28, but that depends on how many total rules are in the policy.  Based on what you've provided I'd stick with R77.30 (and keep up to date on the latest GA jumbo HFAs) until you are ready to replace the hardware in a year, then go to R80.10 at that time.  R80.10 is very solid, but your current environment is easily getting the job done, and in my opinion there is no pressing need to change it until the hardware is replaced.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos