Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend
Legend

SMB Appliances R77.20.81 firmware

As Hristo Grigorov wrote lately in the discussion SFWD process crash, the R77.20.81 firmware is here and it seems that process SFWD is more stable now. But that is not even listed in R77.20.81 firmware Resolved Issues, so i bring here the more obvious news.

 

What will make many sad is that this and future releases do not support 600/1100 appliances. As End of Support for these is June 2022 and End of Engineering Support is June 2020, R77.20.80 is the last official firmware release for 6x0/11x0 appliances...

 

But that is not all of the not-so-good news - one of the three additional features is restricted: Multiple WAN interfaces are not supported on 600, 1100, and 1200R appliances. While we would be sure of the first two (as the firmware itself is not supported, too), excluding the 1200R and including only 7x0/14x0/910 models is not very generous Smiley Sad...

 

Much more helpfull is another addition: Download CA certificate (Portal) for SSL/TLS inspection. Download the gateway CA via the ICA Portal without the need to enter the WebUI. The third one, Blocking Applications and Categories from the SMP, is welcome to Service Providers using SMP portal for managing SMB appliances.

 

There are even pitfalls to the new WAN IFs: Multiple WAN interfaces are not supported on 730/750/1430/1450 appliances with boot-loader version 82 or older. For more information see sk138912.

CCSE CCTE CCSM SMB Specialist
27 Replies
PhoneBoy
Admin
Admin

I don't think we've said that future releases won't support the 600/1100 appliances, only that this particular firmware release does not.

It's entirely possible the multiple WAN port feature requires certain hardware capabilities which may not exist in some of the appliances.

0 Kudos
HristoGrigorov

I think you did said just that:

Copy from R77.20.81 for Small and Medium Business Appliances 

Important: this and future releases do not support 600/1100 appliances. 
The supported appliances are:

  • 700
  • 910
  • 1400
  • 1200R
0 Kudos
HristoGrigorov

I am not sure devs know they fixed the sfwd crash, hence why it was not documented. My SR about it is still under investigation. We do not yet know if sfwd crash was bug in the code or some specific appliance setup/usage.

Anyway, sfwd indeed looks more stable now. It still leaks memory but that is something I can live with.

Oh, and checking for new firmware in 77.20.81 is broken:

[sfwd 5408 1737457664]@CPFW-1[29 Oct 14:30:58] sfwd_cloud_run_firmware_upgrade_check: No valid Internet connection.
[sfwd 5408 1737457664]@CPFW-1[29 Oct 14:30:58] sfwd_cloud_update_DB_CFU_status: Updating status to 'FIRMWARE_ONLINE_UPGRADE_STATUS.INTERNET_DISCONNECTED' (code 109)

Both Internet connections are working just fine. I never liked it not being able to disable automatic firmware check so for me this is actually good news Smiley Happy

0 Kudos
PhoneBoy
Admin
Admin

I stand corrected then. Smiley Happy

The 600/1100 have some hardware limitations that limit the ability to add additional features.

I presume we will still provide bugfixes as needed.

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, bugfixes will be provided until engineering support has ended. But no more official firmware releases will be available for these models...

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Out of curiosity what happened to the plans to release R80.20 for SMB ?

0 Kudos
PhoneBoy
Admin
Admin

It's still in the plans but not near-term.

0 Kudos
Pedro_Espindola
Advisor

If I have Bootloader version 75, will the new version R77.20.81 break anything or it only limits the new features I can use?

0 Kudos
HristoGrigorov

It will only limit use of FlexiPorts. It should not brake anything.

Pedro_Espindola
Advisor

Great! Thanks

0 Kudos
PhoneBoy
Admin
Admin

Just to clarify the position on 600/1100 firmware: We will continue to issue 600/1100-specific firmware releases with security, stability, and bug fixes.

They will be separate from releases for the 700/900/1200R/1400 appliances, which often contain new features that do not apply to the 600/1100 due to hardware limitations.

HristoGrigorov

Thanx for the update Dameon.

Now, that we have more or less stable firmware I did some tests and I must say that 1470/1490 series has quite some potential. It can handle quite a lot actually. I hope future firmware releases improve even more on stability and reliability, like fix that memory leaks on policy installs, HTTPS Inspection same as on higher class appliances, GeoPolicy etc.

If I was CheckPoint, I would drop local management for these appliances. Come on, why would I pay the price to have something that has half the capabilities it can?!? 

Also, possibility to unlock 4th core on 1470 would be really nice. It kind of disappoints me to know there is a power that is there but cannot be used. And paying the price for a new appliance is just too much expensive. Anyway, we have discussed that already.

A clear roadmap on the future of SMB is also welcome. 

0 Kudos
Pedro_Espindola
Advisor

"Why would I pay the price to have something that has half the capabilities it can?"

Because for central management you also have to buy the expensive management.

Plus, the 1400s are good for MSPs because you have the flexibility of using central management or local management with a SMP.

HristoGrigorov

Yeah, I forgot about the SMP. Also Web UI is constantly improved. 

G_W_Albrecht
Legend
Legend

I hate to see such a .... question - it is not important if it is called R77.20.99 or R80.20 ! You can never win a horse race if your cart is pulled by mice .

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

0 Kudos
HristoGrigorov

It is not that bad. If you take away TP blades it can process quite a lot traffic actually (after all it can handle 150K concurrent connections according to vendor). I have similar hardware toys here that do it very well in this respect. But I am talking mostly about 1470/1490 series. 

0 Kudos
G_W_Albrecht
Legend
Legend

I i take away TP Blades i will never need R80.20 at all !

CCSE CCTE CCSM SMB Specialist
SantiagoPlatero
Collaborator

Sorry guys for interject here and bring back to life an old thread, but I'm also very interested in the Check Point's plans for SMB appliances regarding R80... Cause it's not only about the TP blades, we've a handful of others functionalities (for instance Unified Policy, to name a big one) which are only supported for R80.10 gateways and above.

Also, to not only focus on the blades or features: let's think about ICS/SCADA environments... These infrastructures are, more and more, a critical issue for a lot of companies (private or public ones) and Check Point only offer a 1200 rugged appliance, which we don't know if in the future will fall through in comparison to a R80.x Open Server or small enterprise appliance... With the aggravated issue that it's almost impossible to put "normal" servers/appliances (not rugged) in a very controlled environment like where ICS/SCADA equipments are.

So I'm with Hristo Grigorov‌ in here and the I think the request remains: it would be nice for us, as customers, to have a better reassurance from Check Point regarding to the roadmap for SMB and R80 (specially when I'm in plans to replace a R80.10 Open Server for a 1450 appliance, he ).

And I would like to remark the "reassurance" term, as I believe the interest of Check Point to bring major versions upgrades for SMB appliances show to us how Check Point thinks the SMB market.

Again, sorry for bringing back maybe an old discussion... I'm starting to think sometimes I'll perceived here as a forum troll

G_W_Albrecht
Legend
Legend

Any plan to replace a R80.10 Open Server by a 1450 appliance is an illusion - like replacing a bus by a bicycle... As centrally managed SMB Appliances use the R80.10 rule base, you are able to use Unified Policy - but not on locally managed SMB appliances. If you look at the price tags, a direct comparison with R80.x Open Server or small enterprise appliance does not make much sense. SMB is a different playing ground - as watering a bonsai will not make him grow to 6 meters, you will need more hardware ressources to run R80.10 GAiA that are equivalent to traffic load and used blades than are present on SMB.

CCSE CCTE CCSM SMB Specialist
0 Kudos
SantiagoPlatero
Collaborator

We'll replace it 'cause that Open Server, although is licensed to only one core, it's a huge overkill: that Open Server has less than 5% CPU usage almost all the time, an average throughput below 25% if I compare it with the real-life TP throughput according to the 1450 datasheet, but also we're working closely with local SE to be sure.

But that it's another discussion I think. I'm pointing out the ""speculation"" we costumer have to do about the CP's future vision for SMB appliances.

P.S.: good to know the Unified Policy should work, will look into that in another 1450 we have.

0 Kudos
PhoneBoy
Admin
Admin

We are planning an R80.x based version for SMB, but the exact timelines have not yet been finalized.

HristoGrigorov

I will largely speculate here but once there is stable R80.20 for Gaia it will be "ported" for Gaia Embedded as well. May be they are cooking it now because R80.20 is already considered stable?

But, do not forget what Gunther said. What features will be ported is not very clear because limited resources on SMB are imposing some restrictions. I will be personally happy if we get almost the same Firewall and VPN blades and be realistic about TP blades and do not expect too much about them.

Pedro_Espindola
Advisor

I hope they bring unified policy and inline layers. Main issue is that if I have a SMB appliance, I have to refrain from using those features in my entire policy or have a separate policy for it.

Also, I am hoping for HTTPS Inspection + URL Categorization working together. The fact that HTTPS Inspection disables URL categorization for ssl inspection bypassed networks is a huge headache.

If they deliver this, I guess it will solve 99% of my problems.

Steffen_Appel
Advisor

Hi,

the EOL date for the 1100s is June 2022, the EOL for R77.20.X embedded is May 2020. What will happen in between?

0 Kudos
PhoneBoy
Admin
Admin

We will continue to support the most recent R77.20.X available for the 1100 until hardware EOL.

Steffen_Appel
Advisor

Then you should adjust the info about the EOS on the webpage 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events