Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Quantum R81.10 Is Now GA!

shlomip
Employee Alumnus
Employee Alumnus
7 36 10.4K

 

We are happy to announce that Check Point Quantum R81.10 has been released!

R81.10 Banner-New.jpg

 

R81.10 brings a major improvement in security operation efficiency across reliability, performance and scale of the management server.

Critical operations such as APIs, High Availability synchronization and login are more reliable and faster than ever. The SmartConsole will automatically be updated with the latest fixes and improvements.

R81.10 adds new dynamic log distribution to add log server capacity on demand.

And as part of Scalable Platforms, R81.10 brings new mix and match ability to leverage different Quantum security gateways within a single Quantum Maestro orchestration.

Watch the R81.10 Webinar here!

This release is initially recommended for customers who are interested in implementing the new features.

We will make it the default version after significant adoption. It will then be available in the 'Showing Recommended Packages' section in the CPUSE tab in Gaia portal. 

For “What’s New”, Release Notes and more information, please refer to R81.10 Homepage [sk170416]

Check Point will be monitoring the adoption of the release closely as well as any issues that may arise.

Please feel free to reach out to us with any feedback or questions

Best Regards

Release Operations Group

 

 

36 Comments
Danny
Champion Champion
Champion

When will you finally recommend R81 to all customers on your Check Point Releases Terminology? It was promised to be recommended soon at CPX360 2021. That was in February. Now it's July, R81.10 is GA, R81.20 is planned to go GA in 2021 as well and we are still waiting for an official recommendation of R81.

shlomip
Employee Alumnus
Employee Alumnus

@Danny ,

This is going to happen very soon as well. We are aware of the time that passed since and we are definitely on it.

 

Danny
Champion Champion
Champion

When will you finally allow SmartConsole Extensions to refresh data live in SmartConsole by executing a previously user-approved run-script command again without nagging the end user with the same confirmation dialog everytime a user presses the refresh button again? Example: CoreXL Dynamic Balancing extension

nmelay
Collaborator

I don't get what's all the fuss with this "recommended" status.
As I understand it, it's just a random indicator of the maturity level of the new release, based on how long ago it's been released, how large was the latest JHF and how many customers are currently running it.
It does NOT indicate that it's bug-free or anything.
Nor does the not-yet-recommended status indicate that there's any serious issue that needs to be fixed!
If everyone keeps waiting for R81 to reach the golden recommended status, then it's never going to reach any significant deployment, and thus it's never going to be recommended. 🙂

Jarvis_Lin
Collaborator

Hi 

 

Can Add "Track CELL" default value is "log" in future?

It would be better to create new rule without choose Track cell.

 

 

log.png

PhoneBoy
Admin
Admin

My understanding of the "R81 Recommended" situation is as follows:

  • On Management, there are some significant quality improvements in R81 over R80.40 and there is significant adoption. 
  • On Gateways, R80.40 and R81 are similar quality-wise (with R81 having more functionality).

How precisely this will translate into updating the formal recommendation is still being finalized. 

RamGuy239
Advisor
Advisor

The thing with "default version" or "recommended version" is that a lot of customers wants some kind of indications on whether a new version is considered to be in a state where it should be widely deployed.

Obviously nothing is going to be bug-free. There is no such thing. We always have various JHF releases to older versions causing issues. This happens from time to time and is to be expected.

It shouldn't be that strange to understand that customers want to stay on versions that are being recommended by Check Point. If you haven't noticed various Secure Knowledge articles states things like:

 

Important: Check Point recommends that you install the most recent default software release and its latest Jumbo Hotfix GA to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Default version - Check Point declares the version as Default version Widely recommended for all deployments few weeks after GA and following 1-2 Jumbo Hotfix releases. Version is available via CPUSE’s “Recommended packages” view.

 

Obviously customers will feel better when staying within these recommendations. Not to mention how much easier it is for us as Check Point Partners to reference these recommendations. When we recommend versions that does not comply with what Check Point themselves has defined as the default / recommended version this puts increased pressure on us as a partner as customers might start to use this against us if we suddenly have issues with a newer version that is not yet to be considered the recommended version.

With that said I have deployed a bunch of R81 installations already. And my experience is that almost all issues I've had with R81 on gateways are also present on R80.40. The bugs seem more related to the 3.10 kernel on gateways and less about R81 being much different or having more issues compared to R80.40. On management installations R81 has been doing fine all along from my experience, but there's been quite some issues related to accelerated policy installations. But those issues is only showing up when you are managing R81 gateways as there are no accelerated policy installations towards gateways on older versions.

RamGuy239
Advisor
Advisor

Do we have any ETA on when the images for management installations will be made available? Currently, there are no OVF-files for VMware ESXi available: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Normally it takes some time for the images to show up. I think it was two-three weeks for R81 if I'm not mistaken. We prefer to use the OVF-files for deployment when doing advanced upgrades on management servers instead of using the ISO as it comes with a few tweaks by default that you don't get when using the ISO.

vinceneil666
Advisor

Any ETA on R81.10 for Azure ? 

HristoGrigorov

I was able to upgrade SG from R81 to R81.10 managed by R81 management server. I got no warning about this and ended up with gateway that can't be managed at all. I understand this is probably well documented somewhere but it is no harm to check and warn admin about such kind of "fatal" mistakes 😀

genisis__
Leader Leader
Leader

Can a R81 Manager, manage a R81.10 gateway (Similar to R80.30 Manager can manage a R80.40 gateway), also is the minimum gateway version supported now R77?  the backward compatibility matrix implies this.

shlomip
Employee Alumnus
Employee Alumnus

@genisis__ ,

you will be able to manage R81.10 Gateway from R81 Management Server

this ability will be introduced in the next R81 JHF release (Aug timeframe)

 

 

shlomip
Employee Alumnus
Employee Alumnus

@RamGuy239 , @vinceneil666 , to answer both your questions about AZURE and OVF

 

Both OVF for ESX and qCow for Openstack , as well as Azure support are expected within the next 3 weeks

It is already in process

 

RamGuy239
Advisor
Advisor

You have never been able to manage newer gateway releases with a management server on an older version from the getgo. This is something that is being backported to older management releases via jumbo hotfix accumulators if it happens at all which is not always the case.

Unless you have some edge-cases like you have to stay on an older management release because you have some legacy feature or gateways stuck on legacy software that can no longer be managed by the new release I can't see any reason why you would end up in a production environment where you would want to have your management server stay on older versions, while your gateways are being upgraded.

shlomip
Employee Alumnus
Employee Alumnus

 

For all customer out there wondering what is Check Point recommended version,

check out the new section we added to sk95746 describing our recommended version policy

genisis__
Leader Leader
Leader

Shame I can manage R81.10 gateways  just yet.  I have a installation pending in a couple of weeks which would be good to do.

_Val_
Admin
Admin

@genisis__ You answered your own question. Release notes, page 22:

Screenshot 2021-07-07 at 12.12.22.png

PhoneBoy
Admin
Admin

@RamGuy239 even where you can manage a later gateway version with an older management version, you generally miss out on the newer features on the gateway by doing that.

Alon_Alapi
Employee Alumnus
Employee Alumnus

@Danny I will take the extensions feedback internally and will get back to you on this.

 

genisis__
Leader Leader
Leader

Do we know what Jumbo release in R81.10 maps to in previous releases?  I seem to remember an SK which showed this sort of information.

RamGuy239
Advisor
Advisor

 @genisis__ 

You can find this information in SK170417:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

genisis__
Leader Leader
Leader

Nice! 

nmelay
Collaborator

See also :

Compatibility of Jumbo HFA Takes between different releases
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Which is missing R81.10 info for now.

MeravAlon
Employee
Employee

Hi @nmelay 

R81.10 information is already part of this sk164258. In every table in the sk there is information on compatibility to R81.10 GA.

We will of course continue update this sk as an ongoing basis 

Regards, Merav 

 

Andreas_Hofmann
Participant

Hello Release Operation group,

are updateable objects now available for dial in user split tunnel feature?
Do you support CP standard updateable objects for this feature as you do in https inspection like https services recommended bypass object?

 

Thanks in advance

AH

 

PhoneBoy
Admin
Admin

No @Andreas_Hofmann 
However, we do have a customer release on R80.40 that allows for a Dynamic Split Tunnel.
Believe the plan is to add this to the JHF in the future.
Please reach out to your local Check Point office for more details.

Magnus-Holmberg
Advisor

Need an update for the https://www.checkpoint.com/support-services/support-life-cycle-policy/#appliances-support

to include the R81.10 versions, am guessing the appliances that support R81 also support R81.10

regards
Magnus

RamGuy239
Advisor
Advisor

Do you have any ETA on the management image for VMware ESXi? Both GW and management images for Nutanix got released on July 20th. Both GW and management images for OpenStac got released on July 26th.

Image for GW for VMware ESXi was released on July 27th. With a slight typo as it's named "qcow2", the file is "ovf". But still no image for management for VMware ESXi?

I'm waiting on this image for a few deployments. Seems awkward for it to be this late? Images for VMware ESXi on R80.40 and R81 was released on the same date for VMware ESXi.

RamGuy239
Advisor
Advisor

Thank you! Much appericated.

shlomip
Employee Alumnus
Employee Alumnus

 

Hi All,

 

An updated image for R81.10 Scalable Platforms (Take 338) was released

 

Both clean install (ISO) and upgrade image of Scalable Platforms for R81.10 were updated.

 

The updated image includes important fixes for Scalable Platforms.

If you plan on upgrading to R81.10 Scalable Platforms, use the updated Take 338 image.

 

For more information, content and FAQ please follow sk176388

 

The updated image supports R81.10 JHF Take 14 and higher only.

Take 9 of R81.10 JHF will not be supported on the new image (Take 338)

 

Please note that only the Scalable Platforms image was updated.

The R81.10 image is still take 335

 

Thank you!

 

Release Operations Group

 

Danny
Champion Champion
Champion

@shlomip 

I just upgraded two of four MHOs (Dual Site, Dual Orchestrator) from R80.20SP to R81.10 via Check_Point_R81.10_T335_ScalablePlatform_Upgrade.tar + JHF 9 and was planning to upgrade the others tomorrow morning.

Please advice how to proceed.

RamGuy239
Advisor
Advisor

@shlomip 

What about R81.10 JHF Take 14 that got an ongoing release yesterday? Can this one be installed ontop of this new R81.10 for Scalable Platform Take 338?

What exactly does Take 338 contain compared to Take 335? Should we consider to re-install security gateways one by one on existing R81.10 Maestro installations to obtain these fixes or are they all included in Take 14 or some new JHF that is going to be released very soon?

RamGuy239
Advisor
Advisor

I can see from sk176388 that all the mentioned fixes seem to be included in R81.10 JHF Take 14, so I suppose there is no reason for re-installing existing Orchestrators and Security Gateways running R81.10 on Quantum Maestro using the new ISO. Updating from R81.10 JHF Take 9 to JHF Take 14 should pretty much provide all the same fixes and improvements?

Or is there something other magic with this new Take 338 image under the hood? Obviously, all upcoming upgrades should be done using the new image to have all these fixes from the get-go.

RamGuy239
Advisor
Advisor

I tested the new image in a LAB and the verifier claims R81.10 JHF Take 14 is compatible and I managed to install it onto the new Take 338 image. The same goes with the apache hotfix from sk176113, "fw1_wrapper_HOTFIX_R81_10_JHF_T9_APACHE2_4_51_MAIN_GA_FULL.tgz".

So it seems like you are able to re-image security gateways using the new image (take 338) and then apply fw1_wrapper_HOTFIX_R81_10_JHF_T9_APACHE2_4_51_MAIN_GA_FULL.tgz and Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T14_FULL.tgz afterwards. Getting the best of all worlds?

The question is if this is sensible to do. Or if simply running the original image (take 335) with both fw1_wrapper_HOTFIX_R81_10_JHF_T9_APACHE2_4_51_MAIN_GA_FULL.tgz and Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T14_FULL.tgz gives you all the same fixes and whatnot rendering re-imaging using the new image unnecessary.

emmap
Employee
Employee

There is no need to re-install MHOs or gateways with the new take 338. The primary reason it was released is to address some upgrade issues observed when trying to upgrade systems with production load on it. If you have already upgraded your system, or clean installed it with take 335, installing JHF take 14 will include the same fixes. 

JHF take 9 is not compatible with the new take 338 of R81.10SP, so take 14 should be installed. 

Labels