Re: Quantum Spark R82.00.10 has been released!

Amir_Ayalon

We are happy to announce Check Point Quantum Spark R82.00.10 has been released!

This Release extend R82 support for Pro appliance, includes more R82 features, alongside a suite of other features and enhancements for both locally and centrally managed gateways.

The Release also adds support for the upcoming 2550 5G and 2570 5G Appliances.

Key Version Highlights:

R82 Alignment: Now providing comprehensive support for the 15x5 Pro appliance models, as well as the 1600, 1800, 1900, and 2000 series.

R82 features

QUIC inspection - Deep‑packet inspection of QUIC traffic (UDP/443) to maintain visibility even when apps shift away from TLS over TCP
DNS security - Blocks malicious domains and prevents data exfiltration via DNS tunnelling and other abuses
HTTPS inspection enhancements / bypass under load - Smarter SSL inspection with adaptive bypass to protect critical flows when appliances hit resource thresholds
Zero Phishing (Video)- Real‑time page scoring to stop credential harvesting and spoofed login pages before users submit data
IOC feeds - Allow you to configure a stream of malicious indicators (IPs, domains, file hashes) used to detect and block threats.
Network feeds - real-time integration of external threat intelligence (IPs, domains, file hashes) for automatic detection and blocking – now in EA
Quantum encryption - Quantum-safe cryptography using PQC algorithms (e.g., Kyber, Dilithium) to resist future quantum attacks.

Networking Enhancements

WiFi Band steering (Video) - steers clients via probe/association control to 2.4/5/6 GHz based on RSSI, capability, and airtime load, available on 2530/2550/2560/2570
BGP grouping - multiple BGP peers with identical routing policies into a single peer group to simplify configuration and improve efficiency.
Cluster L2 - Locally Managed Spark appliances configured with bridge can be deployed as a cluster
DHCP cluster enhancement – having one DHCP server active at a time and sharing the lease info.
Allow cloned MAC on LAN-Bond

SDWAN Enhancements

CGNAT Cluster - Support for SD-WAN VPN peers behind CGNAT without DAIP configuration (must use Smart-1 Cloud if the Management Server must connect to the SD-WAN Gateway through a CGNAT interface)
Route Based Overlay with ECMP - Support SD-WAN Overlay to operation on top of Route-based VPN. In ECMP mode, SD-WAN selects both the best peer, and the best path to reach the peer.

IPV6 enhancements

IPv6 Flexiport support
IPv6 static route probing
Multiple IPv6 Internet connections
IPv6 GRE (6 in 4, 6 in 6, and 4 in 6)

New Hardware

Support for the new 2550 WIFI 7 5G appliance – now in EA, GA is planned during Q1 2026
Support for the new 2570 WIFI 7 5G appliance – now in EA, GA is planned during Q1 2026
Support for the new 2590 high performance 1U appliance with 4x10GB SFP + 8x1GB SFP ports – now in EA

For additional information and release notes, please refer to: sk184357

Click here to see the general playlist of feature videos

Alex-

A couple of questions:

Is the PQC support available for locally managed? I don't see to see it right away in the VPN settings or advanced settings
Are AES GCM methods on the roadmap for locally managed?

David_Evans

Well my first test in my lab of a 1555 to R82.00.10 didn't go well. It passed traffic correctly for about an hour and then locked up tight. No ping, no SSH, no console. Hard powered off, and it came back and worked fine for about 15 mins and then did the same.

I reverted back to R81 and it is running fine. I'll give it another try and report back. I really don't want to have to wipe the config and rebuild as its locally managed.

Alex-

Any specific configuration or blades?

I let run a 1535 with S2S VPN to a central location, DAIP, certificate-based auth and no issues to report after 24 hours before shipping.

The Spark only runs FW + IPSEC as it's in a remote location for infrastructure management systems access, no user traffic.

David_Evans

Its a lab device so every blade has been on at some point I'm sure.

But currently:
IPS
Virus
Anti-Bot
Client VPN

SSL Categorize only

No IA, SDWAN, IOT, or IPV6...

I was hoping to config a GRE 6 in 4 tunnel as that is a need we have been working around.

CaseyB

Thanks for testing my use-case, I feel better about upgrading our lab appliance.

Amir_Ayalon

Hi David,

If you can share more details is would be great.

we would like to see if there is anything special in your configuration.

can you please send an email to: amiray@checkpoint.com and Ohadp@checkpoint.com and we will continue there.

Thanks

Wolfgang

Is it supported to manage a device running this release via Smart1-Cloud?

Smart1-cloud not SMP.

mwakenell

I do not recommend this build for the 1555s. We have deployed this build in our production SDWAN to a small set of appliances and so far 2 out of 3 1555s have crashed to where the site went hard down and the unit needed to be power cycled. They would be operable for a day or so and then crash again. Hardware was swapped and problem followed to the new hardware. The appliance was reverted to R81.10.17 and no issues. We tried running with minimal blades (FW, APP, IPS) and still had the same result. Concurrently we have also installed on 5 2530s and no issues have been observed. TAC case was opened without resolution at this point.

mwakenell

Does build fw1_vx_dep_R82_00_10_998001562.img address the concerns being reported?

David_Evans

I guess I'm happy that it isn't just my lab 1555. I'm always worried with a lab device its some combination of things I've turned off and on over time creating a configuration mess that nobody else has. I've supplied some core dumps and backups to Checkpoint as well. Hopefully with another data point or two they can get it figured out.

mwakenell

FYI, been running fw1_vx_dep_R82_00_10_998001562.img for a couple of days now on the production test sites. This was the recommendation from my TAC case. One 1555 lockup so far and two have been ok. This lockup was different than the previous ones. On fw1_vx_dep_R82_00_10_998001559.img, layer 2 was still announcing the MAC address but not usable. The lockup today had layer 2 not replying to anything either. All Threat blades are enabled at this time.

Amir_Ayalon

Hi mwakenell, David_Evans

Thanks for reporting,

It seems to be occurring at a very specific situation, we are testing a fix now, and will update shortly.

David_Evans, you will probably get an image tomorrow.

mwakenell, Can you please share your SR number ? it is probably the same occurrence, yet I'd like to review the SR and verify.

(please share the details in private - amiray@checkpoint.com and Ohadp@checkpoint.com)

Thanks

mwakenell

PM sent. Thank you for the assistance.

mwakenell

FYI new build released for 15x5...This one is TAC recommended. Will update if I encounter any more lock ups.

https://support.checkpoint.com/results/sk/sk184357

Chris_Atkinson

Build 998001564 for 15x5 PRO series.

CCSM R77/R80/ELITE

David_Evans

For those watching this thread, I've had 2 lockups on the 998001564 build. I'm still working with support.

mwakenell

FYI, I have been able to keep a 1555 running for a week with TAC's assistance. We are still on fw1_vx_dep_R82_00_10_998001565.img and had to change the operation mode.

the_rock

Is that newest firmware?

Best,
Andy

Amir_Ayalon

Hi Guys

Please contact us Directly for additional information and next steps.

(Notice that the issue does not impact the new 25xx Hardware)

amiray@checkpoint.com

Ohadp@checkpoint.com

the_rock

Hey @Amir_Ayalon

Just to clarify, do you think its safe to upgrade new 2500 appliance to R82?

Best,
Andy

mwakenell

Andy,

This is specific for 1555. AFAIK, the 25xx (I have 2530s) is currently on fw1_t0_dep_R82_00_10_998001562.img. I have had no stability issues with this build on the 2530s and have 10+ in an SDWAN production environment with FW, APPC and all threat blades running.

the_rock

Thanks! Its possible TAC person may not had been aware of that, but definitely good to know. I will discuss with my colleague and tell her its okay to upgrade it once she does the config.

Best,
Andy

jpherber

Hi
Does anybody know if the 'Enhanced Link Selection' for VPNs that R82 for quantum gateways introduced it's also available for the SMB R82 version?

PhoneBoy

Doesn't appear to be since it's not listed as "New Feature" in the R82.00.10 firmware for SMB and it's listed as a limitation in the R82.10 Enhanced Link Selection docs.

the_rock

Hey Amir,

Just wanted to update this thread with info we got from TAC. Customer replaced their old 700 smb with new 2500 series and one of my colleagues was helping them, but we never realized it was not supported to copy the config from show config output between smb appliances, as you normally can do with regular Gaia firewalls,.

Anyhow, this did "work", but why I used quotes when I say that, is because new box seemed to respond, remote access vpn also functioned, but then next day, when customer logged into the web UI, they noticed when clicking on random tabs on the left, would give pop up error (cant recall what it said though). We thought, maybe updating to R82 version would make sense, but when we called TAC, engineer told us that method we used to copy the config most likely caused database errors issue and also informed us there are some known issues with R82 as well and she would not recommend upgrading to it, as its highly unlikely it would fix the problem.

At this time, my colleague will get the device client will bring to our office, she will factory reset it and then configure from scratch. For now, they will use their old 700 series, hopefully only few days.

Just wanted to provide that feedback.

The silver lining (if you will) in this case is that this is very small place (maybe only 10 - 15 people), so they dont mind using an old box again, but its definitely good to know method we used to copy the config would cause database errors.

Certainly something to be aware of next time.

Best,
Andy

Tom_Hinoue

Hi Andy,

From my experience:
"show configuration" output to be used for migrating settings like main train was never supported for locally managed SMB's for a long time until now. (I think it was on the roadmap once so looking forward to it though...)

The only way to do this is to manually edit the show configuration output and extract only the commands that work in CLISH or else some of the output will get stuck with specific characters that can't be used like the contents of the User Check.

Now back to your customers issue...
I believe issues rarely occur with the database if the configuration was really done by migrating the output of "show configuration" commands from 700, where I'm assuming the migration was done by using the backup file from the 700 device instead and was imported to the new 2500 which is not a officially supported path.

You need to either configure the device from scratch, or if you really "really" need to use the backup then you need to take multiple-steps for example...

700 (R77.20.87 latest GA) -> 1500 (R80.20.60 latest GA) -> 1500 (R81.10.17 latest GA) -> 2530/2550 (R82.00.XX)

Though, I really don't recommend taking the steps above... this is only for the last resort.

the_rock

Thanks, appreciated!

Best,
Andy

the_rock

Also Tom, wanted to update you...I spoke with my colleague and she told me that apparently, bunch of web UI settings that were on 700 smb appliances are not even present on new one, so not sure what part of config can even be copied, if anything. I really feel at this point it would be best to just do it all from scratch, to avoid any further corruption.

Best,
Andy

genisis__

Andy - I have an open ticket with TAC regarding the use of an externally signed certificate for WEBUI management ie. its not working even though the cert is correctly applied.
TAC are investigating this, but wondering if you've had that issue with R82.00.10?

Are you a member of CheckMates?

Quantum Spark R82.00.10 has been released!