- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello everyone.
For a client, we are going to perform a tech refresh of some old equipment to 9000 models.
The issue is that one of these old firewalls has version R80.30. We have tried in the past to migrate equipment from an old model with R80.30 to a new model with R81.20, but there have been many problems and the client has become mad because they are a financial institution and are quite tightly controlled.
Therefore, we are proceeding with downgrading the new equipment so that they have the same version when migrating. Yes, I know it's bad practice, but we have no other option.
I am creating this post to ask if you know whether the 9000 models still support R80.30 versions.
I would appreciate any comments.
Best regards.
These EOL version (R80.x) are not supported on this hardware, please refer:
https://www.checkpoint.com/support-services/support-life-cycle-policy/
Hey @Smorales
Im afraid method you want to do would never work. Now, having said that, what was the issue with the config from R80.30?
What I always do is run show configuration from an existing fw, then save it, and copy bits and pieces to new firewall, just MAKE SURE interfaces reflect correct names.
That method never let me down.
Again, I cant comment what happened in their case, but to me, thats most logical approach.
Best,
Andy
Hi Smorales,
This sounds like a problem that needs to be resolved with carefully planned discussions with the customer.
They are leaving themselves exposed in many ways with that solution.
If they are truly tightly controlled then they would be more open to adhering to best practices around the security solution.
They really have to appreciate the technical solutions and capitalise on the investment.
I can't see how some careful planning can't lead to a successful migration to the new hardware and a supported version.
I would not even try to use the older versions on the newer hardware because of Linux kernel versions.
There is also the possible performance issues that could be caused, IF it worked, and then the issue of being unsupported and various other issues that you might be exposed to.
In https://support.checkpoint.com/results/sk/sk181698 (Quantum Force 9000 Appliances) you can see this note, which may be important in their case:
Important Notes:
and also this note, which critical to be aware of:
Let us know if there is anything we can help with but Andy @the_rock is correct to point to the show configuration and interface configuration.
I would also look to document any other non-standard configurations, for example interface speeds, duplex and buffer settings, on both the appliance and switch side, and then plan the new appliance interface configuration around that.
In my experience it is better to plan as much as possible and then deal with any issues afterwards, hoping that they are minimally disruptive and with the support of the customer.
Hope that helps.
These EOL version (R80.x) are not supported on this hardware, please refer:
https://www.checkpoint.com/support-services/support-life-cycle-policy/
Hey @Smorales
Im afraid method you want to do would never work. Now, having said that, what was the issue with the config from R80.30?
What I always do is run show configuration from an existing fw, then save it, and copy bits and pieces to new firewall, just MAKE SURE interfaces reflect correct names.
That method never let me down.
Again, I cant comment what happened in their case, but to me, thats most logical approach.
Best,
Andy
Hi Smorales,
This sounds like a problem that needs to be resolved with carefully planned discussions with the customer.
They are leaving themselves exposed in many ways with that solution.
If they are truly tightly controlled then they would be more open to adhering to best practices around the security solution.
They really have to appreciate the technical solutions and capitalise on the investment.
I can't see how some careful planning can't lead to a successful migration to the new hardware and a supported version.
I would not even try to use the older versions on the newer hardware because of Linux kernel versions.
There is also the possible performance issues that could be caused, IF it worked, and then the issue of being unsupported and various other issues that you might be exposed to.
In https://support.checkpoint.com/results/sk/sk181698 (Quantum Force 9000 Appliances) you can see this note, which may be important in their case:
Important Notes:
and also this note, which critical to be aware of:
Let us know if there is anything we can help with but Andy @the_rock is correct to point to the show configuration and interface configuration.
I would also look to document any other non-standard configurations, for example interface speeds, duplex and buffer settings, on both the appliance and switch side, and then plan the new appliance interface configuration around that.
In my experience it is better to plan as much as possible and then deal with any issues afterwards, hoping that they are minimally disruptive and with the support of the customer.
Hope that helps.
You are 100% correct Don, as usual.
Here is something I always say to people, not because I dont sugar coat anything, but because I always believed and always will that honesty is the BEST policy and people desrve to know the facts.
So, first off, there is no point crying over spilled milk, as the saying goes. The fact previous attemps failed, that cant be undone. The only time machine I know in life is one I have on my Macbook air at home, sadly, that does not work in real life : - )
@Smorales , if I were you, I would talk to them, explained the situation and lay the facts. Being upset about failed attempts will just make things worse, in my opinion. If being mad was helpful, then all of us would do that lol
Lastly, all @Don_Paterson pointed out is totally accurate. Plus, put it this way...TAC will probably never even bother checking anything R80.30 related, so I would straight up tell them so and if they dont like the answer, call TAC and let them explain it to the customer.
We are here to help you, but customer should definitely be aware of all these things.
Best,
Andy
Hello, everyone.
Thank you all for your suggestions and responses to the case.
Regarding downgrading new equipment.
This was because the client only gave us five minutes to get them working if something went wrong, and so as not to introduce too many variables, because at that time they were critical pieces of equipment.
The changes were between different models, and adding different versions with a failure would take us a long time to figure out what was going on, and because of the limited time the client gave us, they would ask us to cancel the activity and reschedule.
In those past situations, the equipment did support version R80.30; they were 3000 models, according to the activity documentation.
As for the downgrade on the 9000s, I just wanted additional confirmation because, as I mentioned, the customer is quite stubborn, but this time we will have to proceed with version R81.20 and not R80.30. I will take care of talking to them with documentation or, if necessary, with comments from the TAC.
I really appreciate your comments.
Best regards.
Excellent! And, my honest advice is 100% do open TAC case, so if they complain about anything, its all in writting, rather then "he said, she said"
Good luck!
Andy
All of the 3000 series boxes support up through R82. Maybe you could upgrade the software on the old gear in one window, then replace the hardware in another window?
I'll add to the chorus saying I currently work at a financial institution and wouldn't consider running anything below R81.20. We were stuck on R67 for years past its end-of-support date (long story), and that's not a position we ever want to be in again. As a result, we're extremely aggressive about software upgrades. It has taken years of work to get there, but we are now able to deploy a fix environment-wide in a matter of days when needed. Even taking things slowly by our standards, we have 16% of our environment upgraded to R82 (started after it became recommended), and we expect to get the rest there in the first six months of 2026.
I was able to get upper management buy-in by showing how about 80% of the outages attributed to the firewalls were from issues Check Point had fixed over a year before we hit them. In over half of the remaining issues, updating the firewall was the first step before we could get any troubleshooting help. Thus, by keeping the firewalls current, we have far fewer issues, and the issues we do have are dramatically faster to solve. We've had one outage attributed to software on the firewalls in all of 2025, and it was due to a patch adding better enforcement against noncompliant HTTP (i.e, the firewall did the right thing, we just didn't know the bad traffic existed in the environment).
This topic confuses me a bit.
I work for a global financial institution and so we are constantly under scrutiny. That’s why we would never consider installing any toxic versions of Checkpoint on current hardware
I feel the only exception to that rule, MAYBE, would be if they had Diamond support, but even then, not positive would apply, just my educated guess.
Andy
We do have diamond support but we would not consider such a step.
I dont blame you. I worked once with a hospital that also had diamond support, but TAC was on the phone and there was an unsupported version involved and we ended up upgrading that night, so that was productive.
Andy
Hi Vincent,
let me share with you a bit of context:
The site where these toxic versions are installed functions as a DRP for them, so they do not prioritize upgrading a few gateways with old versions.
This is because they always have a high volume of projects, and they never prioritize these gateways because they do not run a lot of critical services as they are a DRP.
We always remind them and suggest that even though it is a DRP, they should have everything with the recommended versions, but sadly, the final decision is up to the customer and not us.
Thats all you can do, really. I always personally make sure things are in the email, so no one can deny the facts later : - )
Andy
Don’t get me wrong. I understand your position well since i worked at solution providers for many years and therefore I know end customers of many industries well.
Just wanted to mention that I am now in similar situation and we would decide differently.
Incidentally, I cannot imagine why it would not be possible to migrate an R80.30 gateway to R81.20 with new hardware.
Once again, what is a "toxic version"? Are you guys sure you are using the right word?
I believe Val they meant unsupported, thats the way I read it : - )
Andy
Exactly. In our organization, devices with no support on hw and/or sw are called toxic. Sorry for confusing.
I knew as soon as I saw it...all good!
Andy
I am sorry, what do you mean, "toxic"?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
19 | |
12 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY