R82.10 Jumbo Hotfix Accumulator take #19 has been released today

Installed this on one of our 3920s, glad to see PMTR-123507 made this jumbo, hopefully PMTR-124993 will make the next one!

Worth mentioning that with this JHF on your Management Server, you can now use Policy Auditor in GA!

https://community.checkpoint.com/t5/Firewall-and-Security-Management/Excited-to-announce-Policy-Audi... 

No issues management-side with that Take.

However, this Take nuked a 3920 ElasticXL cluster.

It was installed on both simultaneously because they're till in staging. Upon reboot, Eth9 was admin down on both and setting it admin up didn't restore the cluster. 1_1 reports 1/2 units and 1_2 reports 0/2 units.

Unit 2 was formatted again with ISOmorphic but even after multiple restarts, it won't appear as ready to join, although Eth9 is now up.

Removed the unit from cluster etc didn't change anything.

We'll format/fcd again 1_1 again to recreate the cluster and try again.

As I understand this JHF could be installed on 3900 appliances without any limitatations - I mean R82.10 older iso + JHF Take_22 (sk183557) or R82.10 iso Take_467?

BR

Daniel

That does not seem to make much sense for me: You want to install JHFA Take 19 on top of JHFA Take 22?

It seems that JHFA Take 19 is bound to R82.10 Take 467. But I must admit: You cannot read this from its name. This is "Check_Point_R82_10_jumbo_hf_main_Bundle_aarch64_T19_FULL.tgz" for QF 3900.

The history for 3900 is different - as per sk183557 you have info - "The content of Hotfix for Check Point Firewall 3900 Appliances Take 22 is included in Check Point R82.10 Take 467. You do not need to install Hotfix for Check Point Firewall 3900 Appliances Take 22 on top of R82.10 Take 467"

Br

Daniel

I understand that. But if you do not upgrade to R82.10 Take 467 (with JHFA Take 22 included), you would install JHFA Take 19 on Top of JHFA Take 22. That does not make sense. To make this short: I am pretty sure that JHFA Take 19 is only for R82.10 Take 467 – even if you cannot see this from filename or description.

I'm asking for 100% sure not just for pretty sure 🙂

The R82.10 Jumbo can only be installed on Take 464 or Take 467 as per https://sc1.checkpoint.com/documents/Jumbo_HFA/R82.10/R82.10/R82.10_Downloads.htm

3900 appliances launched with Take 271 - https://support.checkpoint.com/results/sk/sk183199

In order to be able to install the main train R82.10 JHF you need to either clean install the hardware with Take 467 or else upgrade to Take 467. In order to upgrade to 467 you would need to install the 3900 specific hotfix take 22 before upgrading https://support.checkpoint.com/results/sk/sk183557

Once upgraded to Take 467 you are then able to install the JHF take 19.

You can also use the Blink Image to upgrade from 3900 specific hotfix take 22 into R82.10 JHF take 19 

we will improve the JHF documentation so it will be clearer

Thanks 

Matan.

@Alex-  We had the same issue on a 3920 Elastic Cluster. Only reimaging both nodes restored it.

@Steffen_Appel I tried again after ISOmorphic-ing both systems to R82.10 build 467, so the one with the CRL fix.

-FTW the first unit, as ElasticXL SIC, install policy

- Eth9 disappears from the list of manageable interfaces as it's added to the Sync bond

- Add second unit in same site from the Cluster management page

- Unit 2 joins successfully and I have now an Active/Active, single site ElasticXL cluster

- Install Take 19 on both but sequentially this time, cluster breaks with one unit reporting 1/2 and the other 0/2 after reboots

- Eth9 is visible again as discrete interface in admin down state

As you mentioned, only FCD the systems allows the ElasticXL cluster to work again. For now, we'll have to leave it with the base R82.10 467 image because it will need to go in production soon and this Take is clearly hostile to that platform.

@Alex- we opened a SR for the issue.

JHFA and 3920 seems to be a problem. Hotfix 6 made an remotely installed box unresponsive

This is another example where the documentation / information needs to be much improved.

Jumbo Hotfix (Take 19) is for the ‘GA2’ release of R82.10 only.

This was the version released as Take 464 on 24 Dec 2025. Check Point have done a poor job of communicating that the ‘GA1’ and ‘GA2’ releases are separate and distinct versions, even though they are both R82.10… Life would have been much less complicated if the ‘GA2’ release had been called R82.11 - but that would have been too simple!

The original ‘GA1’ release (Released as Take 271 on 1st June 2025) was only ever available for ARM based appliances, whereas the ‘GA2’ release is available for both ARM and x86-64 platforms.

You need to perform a full upgrade to move from the ‘GA1’ to ‘GA2’ release. You can’t just install the latest Jumbo Hotfix package.

My understanding is that the ‘GA1’ release is now EOL and won’t be receiving any more updates, so everyone needs to plan an upgrade cycle soon, rather than later. We have a single 3900 series cluster running Cluster XL (not Elastic) and haven’t had any issues, but we won’t install any Hotfix packages until they reach ‘Recommended’ status, so we’re still on the initial release from December.

@Steffen_Appel Indeed, JHF 19 also seems to be hit-or-miss.. mostly miss.  I had JHF 19 torch an 3980 two nights ago.  Surprisingly, I had success with JHF 6 on a  3980 and 3950 when using Blink to upgrade GA1 to GA2.  I had "Blink with JHF 19" also break a 3950 when upgrading from GA1.  However, this 3950 was able to take JHF 19 eventually.

I'm highly certain I've found a reboot bug, and a grub boot menu bug, in both GA1 and GA2, but I'm going do a test with the customer tonight and find out.

I'll open an SR for this. At this point, I suppose the relevant teams are aware of the issue but at least we'll get a statement and this will add one more file to the pile.

Looks like we're going to have to go in production with the base image.