Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Champion
Champion

R81.20 feedback

Hey guys,

Figured would share my feedback so far on brand new distributed install of R81.20 in esxi lab. I really do like zero phishing feature, though for that to work, https inspection has to be on, so may try that out some time this week.

In all honesty, I dont see any drastic changes from R81.10 as far as policy layout, log filtering, IPS...

Also, not sure if this is just my lab, but I made few rule changes and for some reason, accelerated policy push never takes an effect, though its not disabled.

Just my 100% honest feedback, looks good so far, but the real test would be to see it in busy production environment.

Anyway, thats all I can think of for now. Will add more things as I do more testing : - )

 

35 Replies
the_rock
Champion
Champion

Accelerated policy push works, just took some time to "kick in". Will try autonomous threat prevention this week and see how it performs.

0 Kudos
the_rock
Champion
Champion

This also seems to be cosmetic, as SIC works fine and ips is up to date:

Screenshot_1.png

0 Kudos
Don_Paterson
Advisor

Did you notice the WHAT'S NEW page still says Coming soon 2022 R81.20 ?      🙂

 

Don_Paterson_0-1669145666971.png

 

0 Kudos
the_rock
Champion
Champion

Yes sir :). Im just posting things as I see them in my lab...this is more for anything thinking of upgrading and if any questions. Im happy to test anything in the lab, because quite frankly, no one will cry if that lab breaks, haha. We will just build brand new one, takes 2-3 hours.

0 Kudos
Don_Paterson
Advisor

Cool. I have an opportunity to test it with R80.40 VSX over the next few days (also in a lab), and will try a VSX upgrade.

0 Kudos
Don_Paterson
Advisor

Nice to see the Changes view in the title bar. PNG attached.

Won't spam you here (thanks 🙂 ), but a good thread to share anything specifically interesting in R81.20.

 

 

the_rock
Champion
Champion

No spamming brother, all good, haha...Im happy to hear any feedback, thats what whole community is about. Anyway, I also attached an example of that, yes, indeed, VERY  NICE.

Andy

Screenshot_1.png

Don_Paterson
Advisor

Mmmm...

I got a Granularity Validation error. Searched 'granularity' in the RN and SMS Admin Guide but didn't see anything specific.
It went away when I removed logging from the cleanup rule (in Standard).
I had added a bunch of rules (via API command) and then manually deleted them and then it would not let me publish until I turned Track to None.
A few other changes and then I set it back to Log and it Publishes fine...

0 Kudos
the_rock
Champion
Champion

Are you saying this was the error when ONLY implicit clean up rule was there?

0 Kudos
Don_Paterson
Advisor

It is about the default Cleanup rule (explicit)...

...and what I think it comes down to is this API command is maybe some-how working differently (to manual setting) in R81.20, and that is with regards to the settings of the Log (Track > Log) option. Meaning that if you set the Cleanup rule with the command below and then try to publish it  may fail.

And yet, I cannot see a difference (see attached) when doing Track > Log manually or API-lly

(shrugs)

set access-rule layer "Network" name "Cleanup rule" track "Log" install-on Corp-GW

 


NOTE:
This site is anoying when it won't let me paste screenshots in (CTRL + V) and spits out errors about other things too.
"Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."

0 Kudos
Don_Paterson
Advisor

I can't reproduce it now (in Standard). May have to try in a brand new policy (or on a clean build (some other time))..

0 Kudos
the_rock
Champion
Champion

I will try it in a bit in my lab. Will change current policy for clean up rule to be like yours and see what happens and then test with new policy with clean up rule only. Btw, I said implicit, as I meant implicit as last rule all the way at the bottom, vs explicit clean up rule, meaning clean up at bottom of every inline layer (if one existed), thats all : - )

Anywho, will update shortly.

Andy

0 Kudos
the_rock
Champion
Champion

Just tested it, no issues on my end. Not sure if its something to do with VSX vs regular gateway...its possible. I mean, I dont see why it would, but not 100% certain. 

0 Kudos
Don_Paterson
Advisor

ACK

I did the API config on the clean build (using a dummy SG object (no SIC) to let the API script put it in the rules (Stealth and Install on)).

VSX Cluster addition came later.

Will try to reproduce when the opportunity presents again soon 🙂

Don_Paterson
Advisor

Just an update on this 'Validation error' with the Granularity message.
I just saw it on an R81.10 clean build (R81.10 Build 220 (T335 ISO)) and SmartConsole R81.10 B402) . Meaning that it is not specific to R81.20 but it is still strange.

I used the API commands again and it may come down to the one specific line which changes the default Cleanup rule Track to Log:
set access-rule layer "Network" name "Cleanup rule" track "Log" install-on A-GW

I got rid of the Validation error simply by removing the Log option and then putting it back in manually.

That's it.

Don_Paterson
Advisor

Yes.

Short answer 😉

0 Kudos
the_rock
Champion
Champion

One other feedback I have for anyone in R&D who sees my post is this...I wish CP would FINALLY fix the issue with hit count on NAT rules. We were told even back in R81 and this would work (it did NOT) and then R81.10 (again, it did not, or it was very inconsistent, to put it bluntly) and I even had TAC case opened for this, as customer was curious and guy said he was going to investigate and literally came back next day saying R&D informed him that this was "work in progress". I mean, not sure why this is so hard to fix, because it would be nice if customers could see the hit count on their nat rulebase. Same exact issue in R81.20, it simply does not work...very disappointing, sorry guys.

0 Kudos

we had some problems in Nat rulebase , but they are solved in the R81 jumbo take 36 (and in later versions )

I will contact you privately in order to understand the problem .

best regards .

 

 

0 Kudos
the_rock
Champion
Champion

For anyone thinking of installing R81.20 as standalone...my advice, DO NOT do it : - ). I tried it 3 times...1st time, everything was so messed up, literally nothing worked. 2nd time, I got it installed, but internal CA was missing (???!!!), how, dont ask, I have no clue in the world. 3rd time, it worked, BUT, after about 30 mins, could not open default policy package, tried cloning, creating new one, nothing...so I totally gave up on it. Distributed seems to work well so far...some minor glitches here and there, but pretty solid I would say.

Hen_Hertz
Employee
Employee

Hi @the_rock , thanks for your feedback.
Can you please share more details on your standalone machine , ( appliance type , memory , disk space , any other configuration  you can share ? ) 

I  would like to check this issue internally.

Best Regards,  

Hen. 

0 Kudos
the_rock
Champion
Champion

Hey @Hen_Hertz 

Yes, it was VM, 500GB space, 16 GB ram, 8 CPUs. I would hope thats more than enough -:)

0 Kudos

What's the disk / storage configuration / controller type for that 500GB out of interest?

0 Kudos
the_rock
Champion
Champion

Hey @Chris_Atkinson ...sorry brother, went for a 10 km (6 miles run), but Im very SLOW runner, so that almost 80 minutes (haha). Weather is too nice here in Ottawa, Canada...end of November, pretty shocking, but yesterday was 10 C (50 F), so better use it while it lasts.

Anywho, to answer your question, I put below what I allocated all 3 times, though Im 100% positive that was NOT the issue, as I did R81.10 standalone before with way less space and never a problem

1st time - / dir 60 GB, /var/log/ 150 GB

2nd time - / dir 70 GB, /var/log 200 GB

3rd time - / dir 75 GB, /var/log 200 GB

Andy

0 Kudos

Agree it's unlikely to be space related, I need to visit to check out the craft beer scene in Canada - heard it's amazing.

Is the volume split across multiple disks or single and what is the storage controller choice used for the VM?

0 Kudos
the_rock
Champion
Champion

I dont drink beer, so could not comment on it, but yes, there are all sorts of beers everywhere, so there is one for everyone lol

Anyway, I tried multiple disks, single with lots of space, tried different controllers available, no luck. Here is another messed up thing I discovered...so the error "policy could not be loaded" came up even in distributed environment when I enabled qos and policy server blades and pushed the policy and then reopened the smart console, that error popped up. Disabled qos, tried again, same issue, disabled policy server, so once both blades were off, all worked again. I really find it a bit surprising Im discovering all these problems as I go along...its something I never encountered in even brand new R81.10 when it came out.

0 Kudos
Hen_Hertz
Employee
Employee

Hi @the_rock  can we please take it offline ? 

Could you please approach me about this issue via email henhe@checkpoint.com 

Thank you!

0 Kudos
PhoneBoy
Admin
Admin

If it’s any consolation, I wasn’t doing much faster than 80 minutes for a 10k…as of earlier this year.
Still working on getting back into shape and running regularly.
At least the weather is better where I live now 😉

the_rock
Champion
Champion

Well, if you do simple math, lets see...so FASTEST runner in the world (cant remember his name now), ran full marathon in exactly 2 hours and some mere seconds. So, thats 120 minutes divided by 42.2 km, thats 2.84 mins/kilometre. Buddy, I dont think I can bike 1 km in that time, pretty insane. I mean, I did 1 marathon in my life and took 6 hours and 23 mins, never doing that again LOL.But, my brother loves it, he did probably close to 20 marathons now...anyway, to each their own : - ). Staying healthy is most important thing, no matter how its done!!

0 Kudos
Martin_Hofbauer
Contributor

I wonder why you didn't invest your testing time (but now you do) in an EA install and give your feedback there so some/all of these issues  could have been addressed there -  before this version came out...

0 Kudos
(1)