- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
They did it again - in addition to sk151574: R77.20.87 for Small and Medium Business Appliances, we now have the fresh new sk153433: R77.20.87 Jumbo Hotfix Accumulator with the new firmware image Build 2960.
Nice to have a new build and a list of resolved issues - but for what reason name it Jumbo HF (which it is not, just a plain installation image containing fixed components) ? Or will R77.20.87 stay as a kind of final version for 7x0/9110/14x0 models that will get updated this Jumbo HF way from now on ?
I think the answer is hidden in this sentence: "This Incremental Hotfix and this article are periodically updated with new fixes."
Yes, i did read it - but this is not a Hotfix, but a (some bugs fixed) firmware image. But i do not like this terminology here because - technically speaking - it is just wrong... Sounds like a marketing McGuffin - we now even have a Jumbo for SMB appliances (broad smile) !
Yeah, sounds a bit funny to have JHF for SMBs 🙂 But I think this comes from the CheckPoint internal development process for releasing hotfixes and it is more or less unified for all kind of devices. Only the way it is delivered is different.
I see a basic difference between them - a current CPUSE HFA / Jumbo contains fixed software pieces (e.g. rpms, scripts, binaries) and a lot of installation intelligence. The R77.20.87 Jumbo Hotfix Accumulator is a (sequence of) new firmware image(s), nothing else.
Ah yes, good old "terminology"...I hear ya brother ; - )
Some time ago i gave feedback in sk156192 TCP SACK PANIC requesting a link to the - available - SMB firmware version. Now it has been updated as follows:
SMB (700/900/1400) - R77.20.87 Jumbo Hotfix Accumulator- Build 2960 (and higher).
SMB (600/1100/1200R) - Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
Did anyone here test build 2960? Is it good? Can I move from 2929 with no worries?
I run it for few days already. It is super stable for me. Centrally managed cluster of 1470s.
Great! Thanks
FYI,
I have been supplied build 965 of R77.20.87.
This was to fix an issue where the defined proxy port was being overwritten by a default port of 8080. It is running on at least 4 devices currently without issue.
Not only IPSO was distributed that way, but also the predecessor of GAiA Embedded running on Safe@Office / Edge appliances called Embedded NGX. We also had the separate bootloader and ADSL firmware files in Embedded NGX. But installation was only possible using TFTP 😞...
Now the reason became obvious, R80.20 for SMB is out (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...), but it does not support the 1400, but they willstay on R77.20 - not good.
I believe the release of R80 only for the new SMB line is purely for marketing and support reasons because technically they are not that much different than the current 1470/1490 one. These devices will always be with a short support period.
I do not have the CPX presentation around here to check but I remember it talked about R80 for SMB not promising that it will be the 14** series that will get it. Might be wrong actually.
But let's face it. If you really need layered policies, multi-core support and so on then it is likely that you have traffic that requires more powerful appliance then what SMB is offering. And the performance stated by CheckPoint for the SMB line is a bit more than what they can really handle.
Don't get me wrong here. I support that the lack of clear statement when and for what devices R80 will be released brought some confusion. But I am happy with the current firmware and so far R80 for SMB does not offer that much more to really want to upgrade.
One open question is, when the 1400s will go end of sale.
Per https://community.checkpoint.com/t5/SMB-Appliances-and-SMP/Gaia-Embedded-R80-10/m-p/3434#M3 it was planned for 700/1400.
Now all is becoming much more unclear - a new firmware has been released, R77.20.87 Build 990172972 for 700/900/1400 Appliances. But there is neither any documentation about this build nor is it listed under R77.20.87 Jumbo Hotfix Accumulator- so i really do not know what to think about this...
Come on... 🙂 This is an old story. Sometimes JHAs made to fix particular problem(s) for particular customer(s) make their way to download server. Like mine here:
# ver
This is Check Point's 1470 Appliance R77.20.87 - Build 973
Not so very old story - as there is no documentation at all and new firmware versions should be included in sk153433: Jumbo Hotfix Accumulator for R77.20.87 page!
> This is Check Point's 1470 Appliance R77.20.87 - Build 973
This is not available by the CP download server.
Another strange error in the R77.20.87 Jumbo Hotfix Accumulator page is in resolved bugs listed as Available in Private Builds only. See SMB-9759 New Advanced Settings option: PS engine settings - Allow protocol unknown commands. This Advanced Setting is already available in R77.20.87 (990172960), so we need no private build to use it. I have given the fitting feedback...
Anyone tried the latest jumbo fix r77.20.87 build 120 ?
Not me, still happy using 990172913.
Thanks will give it a bit to see if any issues are reported. After all CP1400/700 after Oct-2022 will no longer receive any firmware updates (jumbo fixes) as its EOL. EOS is good until 2024 if you have the subscription to that time period.
If I don't see much of reported issues, will install and try to stay to latest with my issues having with GUI coring but after disabling antibot blade seemed to make a huge difference of that issue not reoccurring. So something is with that blade affecting memory. Anyhow, thanks for the response.
Not yet, but I will.
The previous public build (990173083) has an annoying bug with the cluster wizard.
If you don't complete the wizard or cancel it, next time you come back, the Configure Cluster button is broken, and you can't start the wizard again.
Nothing I tried could fix this, backup/restore to a new unit even brought the issue in.
TAC's solution was to upgrade to a later private build, which at first seemed to fix the issue, but really only reset the wizard's state.
Learned it the hard way when I (re)scheduled the cluster setup with my customer, checked remotely the day before that the wizard button was OK, did not cleanly disconnect, then could not use it again on D day...
Also, the same units were highly unstable for a while, which was seemingly due to running the DHCP service for a /23 network.
(What pointed me to this direction was ugly errors in the DHCP log, and an UI bug which forbid using a 192.168.0.A to 192.168.1.B range with B lower than A).
I did not really investigate it, moved the DHCP service back to the NAS where it was running before, and they've been stable since then.
I like seeing things like "General stability fixes and performance improvements" in a changelog.
Let's hope this new build lives up to it.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY