First thing that I noticed was lack of Identity Collector support:-(

Something else that is also not clear is whether central management is supported for Spark 1500's running R81.10.  Management release notes only mention 1600 and up.

Look above:

This release supports locally managed only (Local + SMP). Centrally managed is supported at EA level.

Hi

1.Identity collector is supported for centrally managed appliances.

2.The firmware released support centrally managed, we just didn't have enough EA coverage , so it was released for the time being as EA.

To centrally managed R81.10.00 you will need MGMT R81.10 + JHF55 or R81.10 + JHF66, or R81.20

thanks 

The feedback a bit confusing, release notes says locally managed SMBs. So i cant test the new gaia embedded if my SMBs are centrally managed say on SMS with R81.10 or better (with latest HFA)????

Yes, you can - write a personal note to @Amir_Ayalon !

Have you tested this already?. Putting R81.10.10 on an SMB which is Centrally managed?

No - i only have one 1500, locally managed and in production, so no way...

What is R81.10 JHF 5 ? I only know of

• Take 55 - General Availability
• Take 66 - Ongoing

Yes,

sorry for the confusion.

you are correct.

you need MT R81.10 JHF take 66 that supports LSM+SMC

MT R81.10 JHF take 55 supports only SMC

Identity collector is supported for centrally managed appliances.

Typo?

Management should be R81.10 JHF T55 or higher to manage the 1600 upgraded to R81.10.00 (currently this is EA status)

Does the issue persists if you resolve the issue with the rules using time objects?

yes typo sorry my bad.

I meant R81.10 JHF66..

I am not sure what issue you are refering to with the time objects. Can xou clarify? 

The error message you posted shows a warning about time objects amongst other things.

Are you running the EA code?  Central management is not supported in this GA release.

"This release supports locally managed only (Local + SMP). Centrally managed is supported at EA level."

See sk179004

CCSM, CCTE, CCCS, CCSE, CISSP, Security+ and more

Do I need another software package for the EA features? I only found the one from the official sk and assumed that it includes the EA features for the central management.

Please clarify.

Thanks in advance

Hi

no, the same firmware (r81.10.00) that was released support both locally and centrally managed,

we simply decided to GA only locally as we didn't have enough EA coverage for centrally managed.

QA coverage is the same for both locally and centrally managed.

Hi Amir,

Do you have a feel for when R81.10 may be GA for centrally managed? is it likely to be days/weeks/months?

Thanks

Depends on the number of customers that try this version and report any issue to CP. Kind of egg / hen problem 8)

Hi,

As i remember there was a bug in JHF 55 that you can't upgrade SMB cluster (R81.10.00). you need to manually upgrade each member.

this bug was resolved in JHF 66 .

if this is what you encounter in JHF 66 - please drop me an email. amiray@checkpoint.com

Hi,

we have a similar issue with a single 1530 GW on 81.10.00, the installation fails with Error Code: 0-2-20000025.

@Amir_Ayalon @Chris_Atkinson 
Hey guys, we performed some additional troubleshooting with our policies.
And it turns out that Zone Objects are causing the troubles when installing the objects on the gateways.

So for example we are getting the error if we have a Zone Object in the Policy which is not defined on our 1600 Gateways. (Even tough the 1600 gateways are not defined as installation targets. 
So we think somehow that during policy compilation installation targets are not being considered. 
Our Policy is strongly depending on Zones and Inline Layers combined with Security Zones.

Unfortunately it seems like that exactly that is causing our policy installation problems on the SMB appliances.

I guess there are still some issues in the new codebase with inline layers and zones.
How should we proceed? Can we get some EA support? Or should we open a Support case? 
What do you recommend?

Thanks in advance for the help.

Hi cgubesch

thanks for the RS yesterday.

the way to proceed is to open an SR and say R&D ask for a Task.

in order to proceed we will need from you the management backup (we tried to replicate today you scenario , but it wasn't replicate)

please collect database backup from management server and include in the SR.

The steps are very simple,

For SMS deployments:

1. Collect management server database:

# cd $FWDIR/bin/upgrade_tools

# ./migrate export <name of the file>

2. Collect additional information:

# cpinfo -z -o /var/log/tmp/<name_of_the_file>.info 

For MDS deployments:

1. Collect MDS database:

# mds_backup -l -d /var/log/

2. Collect additional info to have an idea about configuration, addresses, fixes etc.:

# cpinfo -y all

# mdsstat

# ifconfig

# df -h

In general this is an issue I think. The same rings true for Identity Awareness for example. You can't install a policy with inline layers that use Access Roles, even if the gateway without the IA blade enabled is not in the install target for that inline layer.

@Douglas_Chenjer is there a R81.10.10 version?

And if so? How can I get my hands on it 🙂

That is a typo - current is R81.10.00

Currently, only R81.10.00 Gaia embedded firmware is available. It works with SMBs managed locally, from SMP or Centrally.