- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Guys,
That build is causing significant traffic delays and CPU load is higher than that of R77.20.81.
Any of you experiencing similar problem ?
Hi Hristo,
what do you mean with jumbo hotfix? Did Check Point provide a newer build of R77.20.85? We are experiencing a similar problem with Gaia Embedded and R&D is still investigating.
Cheers,
Martin
Hello Martin,
Yes, it is new R77.20.85 build.
I notified guys from R&D I worked with about your question. I hope they will reply to you here.
Hello everyone,
Hristo was helping us during the last days to detect the issue and we provided him a possible fixed image on top R77.20.85 that seems to solve the issue.
We're currently working to make sure this image can be provided to all customers ASAP (QA cycle, automation..).
Thanks,
Keren Greenblat -
SMB Field Solutions Team Leader.
Hi Karen can we confirm this fix was also validating the slow GUI response for standalone. There has been cases reported to this and the two may have correlation due to the high cpu load.
High CPU load on locally managed SMB devices will cause slow GUI response anyway as the ressources are very small.
Agreed and simply highlighting to make sure QA covers all validation as the high CPU was not just on cental managed devices but local as well
I do have the information that one customer got rid of high CPU load on locally managed SMB after upgrade to R77.20.85 - so what is true for one user / one model / one production environment must not be true for others 🙂
I recommend that you open SR about the GUI issues you are experiencing. It is the right way to bring CheckPoint attention on it. This case was exceptional and brought directly to R&D's attention because it was totally preventing us from running the build in production environment. What I call "showstopper" case. Even so most software divisions won't allow this at all.
Hereby I want to thank R&D for the quick response and being flexible on investigating and fixing this. It was pleasure working with them.
Thank you everyone, I will test the jumbo fix this weekend first and if issue persist than SR will be initiated. The fact the fix did result positive to a customer on standalone, hoping for the same result. Plus there is already an SR for this w/other customers.
To close this thread:
CheckPoint have already released R77.20.85 build 751 that included fix for the above mentioned performance issue.
Thanks for the info, was hoping to see it updated on the original d/l page as it as still display build 731. I assume you installed this firmware build 751 in your environment and all is good?
Yes, few days in production already. No problems noticed.
Thanks appreciate the info. I will be updating my prods next weekend and test results.
Build is no longer available for download
build 751 is still available and downloadable. I agree that the firmware upgrade feature on the firewall adds no value. I believe CP has no way to distinguish firewalls with valid subscription vs. out of subscription and hence it never prompts you that a new build is available. That is my two cents, could be wrong.
New firmware versions are announced in CP UserCenter and in Embedded GAiA WebGUI. CPUSE on GAiA appliances is a very different engine and ecosystem that does not include SMB devices!
To "believe that CP has no way to distinguish firewalls with valid subscription vs. out of subscription and hence it never prompts you that a new build is available" is both very wrong and building maybe on a great lack of experience - i have seen the message that there is a new firmware available on SMS rather very often during the last years 😉
No lack of experience my friend, simply providing facts as it relates to me hence the statement I believe. I've been with CP since 96 and evolved with there echo-system on different platforms.
For the rare times SMB displays new firmware, I still have fingers left to count with. Consistency for this functionality to alert on new firmware needs to be improved. Again there may be a reason for this behaviour vs. design. My devices are still stating build 541 on r77.20.81 is up to date. Appreciate the feedback and glad to see the firmware functionality is working to your desired expectation.
If you do believe that CP has no way to distinguish firewalls with valid subscription you are just wrong.
CheckPoint must have blacklisted me because I cannot see 751 on Downloads page anymore
Same to me - maybe some others that still see it did not clear their browser cache
I can still see it and download it even in a different browser.
I suggest you steer clear of this build until it is actually documented. Remember what happened to me and build 701, which should not have been available.
That's because you are not blacklisted. May be only EU is
But you are certainly right. And I wonder how it happens that non-GA build slips through and appears on download page.. second time now.
Keren indicated build r77.20.85 build 751 is still going QA cycle and in a few days to be released, unclear if it's going to be a different build or same? Keren Greenblat are you able to clarify?, Appreciate it, as always.
I believe next GA firmware will be R77.20.86
I will be just happy to get a straight answer for this firmware before I upgrade. R77.20.86 I see at EA.
R77.20.85 build 751 is now official although I couldn't spot on the page what else was changed in it.
Now that you've been running with build 751, has it been stable for you? also if you ssh into the box and do the top command do you notice any zombies processes, just curious.
Yes, build 751 is very stable for me and also performance is good. I keep an eye on 'top' from time to time and haven't noticed any zombie processes. But notice that my one is centrally managed while I think yours is not.
Thanks,appreciate the info. I can only hope that results will yield the same for standalone.
Noticed today that I have 5 zombies and all are related to HTTPD, looking at the ps aux it shows zero memory/cpu. Anyone else seeing zombies?
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY