(My objective read based on sk180605 — no marketing, just operational impact)
Below is a direct summary of what has changed in Check Point Quantum SD-WAN, which issues were addressed, and which designs become more viable for architecture and operations — as documented in sk180605.
Where relevant, I explicitly call out the minimum version / Jumbo Hotfix Take.
Main recent changes and improvements
1) Expanded Overlay VPN support (Multi-Domain / Global VPN Community)
-
It is now possible to create an Overlay VPN between gateways managed by different domains using a Global VPN Community in an MDS environment starting with R81.20 Jumbo Hotfix Take 79.
-
Previously, this was only possible between gateways under the same Management Server.
Practical impact: enables SD-WAN in organizations with domain-based governance (MDS), reduces workarounds, and simplifies cross-domain expansion.
2) Official support for Policy-Based Routing (PBR)
-
SD-WAN supports PBR configuration on the Security Gateway starting with R81.20 Jumbo Hotfix Take 79 (and continuing in R82.x).
-
Previously, PBR was not officially supported.
Critical operational detail (priority / precedence):
To ensure that a PBR rule is evaluated with higher precedence than SD-WAN steering, the PBR rule priority must be lower than 100. This is important because SD-WAN breakout behavior is PBR-like and interacts with routing precedence; using a priority below 100 is the safe standard when you must ensure the PBR decision wins.
3) Gateway limit increase in Star VPN Community
Practical impact: makes SD-WAN more applicable to large hub-and-spoke environments, reducing the need to split communities purely due to limits.
4) Support for Dynamic Routing in Overlay VPN
Practical impact: enables more enterprise-grade designs (scale/convergence/ops), reducing dependency on static routes in overlays.
5) Resolution of symmetric return path issues (inbound Internet)
Practical impact: eliminates one of the most painful multi-ISP failure modes (sessions breaking due to return-path asymmetry), especially for published services and state/NAT-sensitive applications.
6) DAIP (Dynamic Address IP): improvements, but constraints remain
Practical impact: unlocks additional use cases at the WAN edge with dynamic addressing, but requires careful design for multi-link dynamic scenarios.
7) Support for SecureXL Kernel Mode (KPPAK)
Practical impact: reduces friction between SD-WAN and performance/acceleration requirements in environments that rely on Kernel Mode.
Resolved issues (consolidated view)
-
Overlay VPN between different domains (via Global VPN Community in MDS) — R81.20 Take 79+ / R82.x.
-
Official support for PBR and dynamic routing — R81.20 Take 79+ / R82.x.
-
Symmetric inbound return path — R81.20 Take 79+ / R82.x.
-
Expanded gateway scale in Star VPN — 400 (and 500 in R82.x Early Availability).
-
Support for SecureXL Kernel Mode (KPPAK) — R81.20 Take 96+ / R82.x.
-
Multiple limitations clarified and moved into official documentation status.
Important limitations still present
-
No support for VPN Implicit MEP when only some central gateways use SD-WAN (R81.20 / R82.x).
-
No support for Overlay VPN over VTI Unnumbered (R81.20 / R82.x).
-
No support for interfaces with Network Type “Private” (Non-Monitored) (R81.20 / R82.x).
-
No support for SD-WAN on VSX, Maestro, or Active-Active clusters (R81.20 / R82.x, addressed only in future versions / Early Availability per sk180605).
-
Some DAIP and static NAT limitations still apply (R81.20 / R82.x) and should be validated case-by-case.
-
Future possibilities (as indicated/outlined around the sk)
-
Up to 500 gateways in Star VPN Community (R82.x Early Availability).
-
QoS, monitoring, and enhanced NAT (new capabilities announced for 2025, R82.x Early Availability).
-
Expanded support for cloud clusters (Geo Cloud Cluster in AWS, OCI, etc.).
-
Ongoing improvements to Infinity Portal integration and onboarding automation.
-
Broader coverage for hybrid and multi-cloud operational patterns.
Visual summary
| Change / Fix |
Version / Take |
Notes |
| Overlay VPN across domains |
R81.20 JHF Take 79 |
Global VPN Community (MDS) |
| PBR support |
R81.20 JHF Take 79 |
Official support; PBR priority < 100 if you must outrank SD-WAN steering |
| Dynamic routing over Overlay VPN |
R81.20 JHF Take 79 |
Official support |
| Star VPN Community limit |
400 (500 in R82.x EA) |
Previously 250 |
| Symmetric inbound return path |
R81.20 JHF Take 79 |
Fixed |
| SecureXL Kernel Mode (KPPAK) |
R81.20 JHF Take 96 |
Official support |
| QoS / Monitoring / NAT |
R82.x Early Availability |
New capabilities for 2025 |
Reference (canonical source)
If you want, I can add a short “validation checklist” for upgrades to R82.x focusing on the failure modes these changes directly address (multi-ISP inbound symmetry, cross-domain overlay, PBR precedence, and SecureXL KPPAK).