It happens more and more often that new features in blades don't work the way they did before. After the update to the new version we have to look for the solution in SK's or open a TAC ticket. Could you please better document the readme's of the new versions with changes to the old versions.
Solution:
A diagram in the readme (or a sk) that gives us the information we need to affirm and not run into the issues first.
Here are a few examples of bugs that would have been avoidable:
1) R80.10 to R80.20 --> (sk162637) ClusterXL in Load Sharing mode is not supported with IPSec VPN blade enabled. Must be written from my point of view thick red in the readme. Now, for R80.20 release and above, ClusterXL Load Sharing mode is available with the following Jumbo Hotfixes R80.20 HF 117 or R80.30 HF76 and abouve
2) R80.x to R80.30 --> user.def encryption domain entries don't work anymore if you don't have no set special kernel parameter (here i can't find the sk at the moment).
3) R80.10 to R80.20 -> supernetting behavior with 3rd party VPN -> (sk101219) From R80.20, you can disable supernetting behavior with 3rd party VPN devices, per specific community. That way you can migrate to a non-supernetting environment gradually, community by community. This process requires also configuration changes on the 3rd party peers as well. Before R80.20, global parameter ike_enable_supernet determined supernetting behavior for all 3rd party devices.
4) R80.xx to R80.30 -> fw_clamp_tcp_mss -> (sk61221) This is a global parameter in R80.30, and will be applied for all Security Gateways / Clusters that are managed by this Management Server - depending on the value of the kernel parameter "fw_clamp_tcp_mss" on the Security Gateways / Cluster Members via guidbedit.
5) R80.xx to R80.30 -> https inspection -> (sk104717) This section is irrelevant for R80.30 and above, since a new probe mechanism was introduced (enabled by default) - customer should NOT use the 'old' mechanism (enhanced_ssl_inspection).
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips