- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi all,
We're planning to upgrade our VSX Cluster deployed on Open Server. Currently, it uses R80.30. In February, when we had an open case to TAC, they suggested to use R80.40 for clean install.
What is the situation now?
Maybe something has been changed since that and we should take a look at R81?
Has somebody got an experience in updating Open Server based VSX clusters to R81 and can share feedback?
Thank you in advance!
Personally, I had never done this, but saw a forum online where someone upgraded to R81 and no issues, but it is just one customer though.
Hi!
Thanks for your reply!
I'll add one more R81 case to my statistics.
However, it would be nice to hear something from Check Point people.
R80.40 is still the widely recommended and default version. I've done a ton of R81 upgrades, on pretty much all kinds of installations besides Scalable Platform / Maestro. My experience so far is that almost all issues I've had with R81 have also existed on R80.40. They are mostly related to 3.10 kernel that becomes the default for gateway installations with R80.40. If you look through the jumbo hotfix changelog for both R80.40 and R81 you'll notice how the same fixes are often released to both versions almost at the same time.
R81 have had some unique issues of its own. Most are related to the accelerated policy installation which is not available for R80.40. At this point, I would be tempted to recommend going with R81.10 over R81. R81.10 already contains all the fixes from R81 Take 34 and so far my experience with R81.10 GA is quite limited but it's been very good.
One thing to remember with R81.10 for VSX is how HA clustering is no longer a thing. On R81.10 it's all going to be VSLS so if you are not running VSLS already this might be something to keep in mind.
Hi @RamGuy239 ,
Yes, I know that R80.40 is still main release. However, as you said, R81.10 has been released. So I thought that R81 could be considered as a stable enough to use on VSX.
Actually, your point regarding R81.10 us really interesting. I have to think about it. R81.10 is a newborn and we always avoid using new releases but maybe it would be a good advice in this case. VSLS is not a problem in our case because we have already been using it for some time. We have to do Clean Install of VSX Cluster because we got some issue with ClusterXL at VS0 after upgrading from R77.30 to R80.30 and TAC wasn't able to fix that.
It would be nice to hear something from Check Point people about using R81 and R81.10 for upgrading VSX based on Open Servers.
I've done VSX upgrade (ok clean install), from R80.30 to R80.40, in my options (and I'm pretty sure TAC will say the same thing), rebuild your VSX cluster using a clean install.
It sounds pretty bad to do this, but actually its not, the main thing is ensuring all your OS level configuration is the same, then its a simply case of vsx_util reconfigure which then converts the gateway to VSX.
The big reasons to do a clean installation are kernel 3.10 and also xfs filesystem (more relevant to Management the gateway though).
- Ensure you do a snapshot of the manager and gateway before hand, and store the snapshot from the gateway offline.
- Ensure you save the GAIA config from the gateway and store this offline.
- Ensure you raise a pro-active case with TAC, ensure you run into issue.
- If your install R80.40 ensure you install the latest GA Jumbo (don't install anything less then Jumbo T102 (Latest is T118 at the moment).
Now should you go to R81.10...hmmm technically this may not be a bad option, but with VSX I would prefer to wait for a few jumbos to be released. If you have the luxury of a test system then worth a go.
I've already attempted to install JHFA34 onto a R81 manager and found and issue, and rolled back to JHFA29.
Commercially - R80.40 is currently the 'recommended' release by Checkpoint, and your managers may question why you are installing something that is not the recommended release.
With VSX there is no real harm in doing a clean install as the management server is holding the configuration. With that said, you will still get 3.10 kernel with in-place upgrade. But you won't get XFS but you need to remember that from R80.40 and on-wards the cpuse upgrade packages is a blink package in disguise. One major downside with this is how "clean install" using the cpuse package will not re-format your hard drive. The only way to ensure that you get XFS on your gateway is to use the ISO and isomorphic tool and do a complete install using USB.
correct, we used USB installation method.
Hi all,
Thanks for your replies!
Unfortunately, USB install is not our way. Our VSX Cluster is located thousand miles away and it's really hard to organize onsite support. So I guess we'll do the clean install via CPUSE.
All your answers have been adding more and more points to the opinion that it's too early to use R81 for VSX.
Do you have out of band access to the system? If not you could lose your connection to the appliance and then you will be in trouble.
What appliances do you have?
What version of LOM firmware are you running?
Do you have a test system you can attempt this on first?
Hi @genisis__ ,
@genisis__ wrote:Do you have out of band access to the system? If not you could lose your connection to the appliance and then you will be in trouble.
Yes, we have. This is a kind of indisputable prerequisite.
What appliances do you have?
There are no appliances. We're using Open Server installed on HP ProLiant DL380 Gen9 servers.
What version of LOM firmware are you running?
Do you have a test system you can attempt this on first?
Unfortunately, nope.
Ok
Do the open servers have iLO cards? I've found with Dell Open Servers, which have iDRAC cards the standard ISO build works fine.
If you do have iLO cards, have you ensured there running the latest firmware?
Yes, HP ProLiant has iLO card. However, the firmware is pretty old and we have to use java-based console. As far as I remember, there were some bugs when it comes to using ISO images. We can't update iLO firmware.
Anyway, big thanks for your time! I'll check how to use ISO image in our case.
cool - and I know what you mean about the Java version, it supports a really old version, but HP may have a firmware update for it, worth checking, if you have not done so already.
Hi @genisis__ ,
Big thanks for your recommendations, especially, for raising proactive TAC case. During previous upgrade, it took a long while to get TAC help after facing an issue. We'll definitely raise TAC case ahead of the upgrade.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
18 | |
12 | |
6 | |
6 | |
6 | |
5 | |
4 | |
4 | |
4 | |
4 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY