Patching a Force 19000 security gateway

Alex- · ‎2025-03-26

The new 19000 Quantum Force are shipped with R81.20 Build 722.

When trying to patch them to Take 98, the verifier discourages us to do so as it might lead to system instability unless we go first to Take 24.

R81.20 Take 24 is not compatible with R81.20 build 722.

sk180520 seems to point out that Take 65 is the minimum supported for 19K and 29K series, so that could be the verifier not taking the build and platform into account.

Our understanding that we should patch to Take 65 then Take 98, but we have an SR open being checked internally to clear up any doubt and proceed the right way. The verifier specially states Take 24, not Take 24 or above.

For information for anyone facing the same scenario, or who already successfully upgraded these devices and could confirm.

Timothy_Hall · ‎2025-03-26

You will need to wait for resolution for your SR. There were a variety of problems with R81.20 Jumbo HFA Take 96/98 and Quantum Force appliances (9000/19000/29000) due to the fact they utilize UPPAK: sk183181: SecureXL in the User Mode (UPPAK) may have compatibility issues with R81.20 Jumbo Hotfix T...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Alex- · ‎2025-03-27

@the_rock @Timothy_Hall

I will wait for TAC to confirm the approach for stability and performance. These are Maestro appliances and run KPPAK out of the box.

the_rock · ‎2025-03-27

Good idea @Alex-

Timothy_Hall · ‎2025-03-27

Ah Maestro would explain why these gateways are still in KPPAK mode although Maestro appliances are supposed to support UPPAK & Lightspeed cards starting in R81.20 Jumbo HFA 89+ and in R82+.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

AkosBakos · ‎2025-03-28

We have MAESTRO with R81.20 take 98 and a portfix on the top. (fw1_wrapper_HOTFIX_R81_20_JHF_T98_249_MAIN_GA_FULL.tar)

----------------
\m/_(>_<)_\m/

the_rock · ‎2025-03-26

We had couple cases recently about VPN issues after jumbo 89 and 92 install and TAC recommended take 99, though not recommended, but appears lots of issues resolved in it. If you try verify jumbo 99, does it complain?

Andy

emmap · ‎2025-03-27

The issue referred to by the verifier only occurs if you uninstall the JHF. If you're not planning on uninstalling it, you can ignore the warning. There is more information in the 'Important Notes' part of the JHF documentation.

Take 99 resolves the main issues with take 98 on Maestro as far as I know so it's probably better to go straight to that one.

Alex- · ‎2025-04-16

The SR is still being investigated but that Security Group needs to go online so I went again through eh SK and did the following:

- Upgrade SG members to Take 65: No warnings, success

- Upgrade SG members to Take 99: No warnings, success

The SG is now back online, still in KPPAK. SK179432 explains KPPAK is the default mode with SG19200 in Maestro, so this needs to be changed manually. Since this is VSX on top and a rather complex deployment, I'd believe keeping the default KPPAK would be the safe option now, unless there are compelling arguments to enable UPPAK before this system goes live this week.

UPPAK still has some limitations also, which could be relevant in this deployment.

Jan_Kleinhans · ‎2025-04-16

We have many issues with UPPAK and VSX on 19200 (without Maestro). At the moment we are running in KPPAK. TAC cases are open since months. RnD is searching for solutions. I would recomend staying at KPPAK for the moment.

Alex- · ‎2025-04-16

That was our perspective as well, thanks for sharing your insights.

Alex- · ‎2025-04-29

19200 Maestro with R81.20 Build 722:

--> Patch to Take 65

--> Patch to Take 99

Security groups work. I've noticed other attention points which will be shared in dedicated posts.

Are you a member of CheckMates?

Patching a Force 19000 security gateway