We upgraded one of our customers some time ago from R80.30 to R81.10 and experienced a lot of problems – and still have some serious ones to solve.
One of the problems is that automatic NAT for outgoing connections from virtual systems does not work anymore. Instead of the real IP addresses of the VS the Internal Communication Network addresses (aka "funny IPs") are used. Thus, no communication for VSes is possible without manual NAT rules.
We have a network design where several different VSes (VPN FW, LAN FW, DMZ FW and Webserver FW) are connected via a virtual switch to the same external network (means: Internet).
With R80.30 each of this VSes reached Internet with its real IP without implementing manual NAT rules. That does not work anymore with R81.10. TAC told us that we have to apply manual NAT rules as described in sk119304.
The same happens for internal connections connections to DNS and NTP servers etc.
My question is: Why did Check Point break automatic NAT in R81.10 making this version technical inferior to R80.30 regarding this point? What about usability when you have to apply manual NAT rules for any interface with traffic originating from a VS?
In my opinion that is not the maturity you would expect from enterprise grade software. It seems to be half-ready, banana software – ripes at the customer.