This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Eran_Habad
Employee
Employee
‎2019-06-27 02:59 PM
Jump to solution

Management JHF - Did You Know?

Hi everyone,

My name is @Eran_Habad and I’m a manager in Check Point’s R&D. My group is responsible for the core I/S and APIs of the Management Server.

Following several recent conversations with customers, I would like to provide some information and shatter few myths regarding the JHF of the Management:

  1. A new take of the JHF is usually released every few weeks (ideally) with a list of fixes that can be seen in the JHF SK according to the relevant version: R80.10, R80.20, R80.30, R80.40.
  2. Every new JHF take is first released as Ongoing for early adoption, and later becomes recommended for General Availability. You can find all information in the JHF SK.
  3. You can install a new JHF on the Management Server regardless of the Gateway. There’s no requirement to align the Management and Gateway to use the same JHF take.
  4. However, we do require all Management machines to have the same JHF take.
  5. There is a JHF package for the SmartConsole as well, yet there’s no dependency between the Management Server and the SmartConole. You can use a different take of the JHF for each.
  6. Installing a JHF is not a Management upgrade! The installation of a JHF on the Management is simple, doesn’t perform any changes in DB and is only replacing specific binaries with new fixes.
  7. We strongly recommend that our customers install the latest recommended GA JHF on a regular basis, even without the need for a specific fix. The reason is that the JHF accumulates fixes for known issues that could be prevented upfront if installed.

 

I’m also tagging @Tomer_Noy, R&D Director of Management Products and @Miri_Ofir, R&D Group Manager responsible for Customer Success & CFG.

All of us would be happy to answer any further questions regarding the Management JHF and to get ideas for improving the JHF adoption and installation.

Regards, Eran

1 Solution

Accepted Solutions
Tomer_Noy
Employee
Employee
‎2024-07-03 05:25 AM
In response to MVS_VF
Jump to solution

The gateways / clusters can be updated to a new JHF gradually without any dependency on updating the Management / MDS.

You can have gateways / clusters with different JHF builds between different domains, and even within the same domain.
You can have different JHF builds for the gateways and for the Management.

The comment about having the same JHF is only for the Management MDS & MLM machines. If you have multiple MDM servers, you need to have the same JHF build on them.

I hope this clarifies things.

View solution in original post

0 Kudos
14 Replies
PhoneBoy
Admin
Admin
‎2019-06-27 03:08 PM
Jump to solution

Good information the community can use.
Garrett_DirSec
Advisor
‎2019-07-01 08:43 AM
Jump to solution

Hello -- Great information.  sincere thanks for the post.   Note:  we in region exclusively use term "HFA" vs "JHA". 

topics... 

  1.  curious why individual hot fixes block installation of JHA and/or require a specific JHA release to be installed?
  2. Do you foresee a future when hotfix blocks/etc go away (with micro services architecture, etc)?
  3. when is JHA release #1 going to be available for R80.30? Honestly, this is the litmus test we use when recommending a new platform release to customers.

Thanks -GA

 

PhoneBoy
Admin
Admin
‎2019-07-03 01:22 PM
In response to Garrett_DirSec
Jump to solution

  1. A JHF and individual hotfixes can touch the same files. Before fixes can be integrated into a JHF, they have to meet certain criteria. Likewise, some fixes are on top of fixes applied in a JHF, thus there are dependencies.
  2. I suspect this is something that will be addressed longer-term, but don't know the specifics.
  3. The first Ongoing JHF for R80.30 was released yesterday. See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Vladimir
Champion
Champion
‎2019-07-03 07:51 PM
Jump to solution

Great info! Thank you for sharing.

Please answer this: If I recall correctly, some of the Ongoing JHFAs are required to be uninstalled before the next version is installed. Why not include removal of the intermediate Ongoing JHFA in to the installation logic of the next one?

Regards,

Vladimir

Tomer_Noy
Employee
Employee
‎2019-07-04 12:22 AM
Jump to solution

Note that there were some recent improvements in the CPUSE DA JHF installation.

In the past, installing a new JHF involved uninstalling the current JHF in the background. This had several drawbacks such as extra time to perform the uninstall and potentially going back to the vanilla GA if the new JHF failed to install.

Another drawback was that if you installed an private / specific HF that depended on a certain JHF build, we couldn't uninstall the existing JHF in order to install the new one. That was the case even if the private HF fix was included in the next JHF. The customer still had to manually uninstall the private HF to allow the JHF installation to proceed.

In the new mechanism, the next JHF is installed on top of the existing JHF without uninstalling it. This means that if a private HF fix is included in the next JHF, you don't need to uninstall it manually anymore. We will recognize the situation and let you proceed. Also, uninstalling a JHF will bring you back to the JHF you had before, instead of to the clean vanilla state.

This was great work by @Tsahi_Etziony and @Lior_Manor .

The DA is auto-updatable, so everyone should get it automatically (assuming they didn't turn off the auto-update).

Vladimir
Champion
Champion
‎2019-07-08 08:54 AM
In response to Tomer_Noy
Jump to solution

Hi Tomer and thank you for this info.

These are welcome changes indeed. I have noticed the DA becoming Auto Updatable or giving us the opportunity to do so from Web UI manually.

As to compatibility with custom or private HFs, this seems to be a work in progress. As per sk113410:

"Future Jumbo takes might include content that will conflict with this Hotfix. Installing such a Jumbo take on a system with this hotfix, will fail with an appropriate error. In such a case, please contact Check Point Support."

0 Kudos
MVS_VF
Participant
‎2024-07-03 01:16 AM
Jump to solution

Hello Eran,

Thank you for the very clear and informative post.

In my environment I have Multi-Domain Server with R81.20 Jumbo Hotfix Take 41 and so are my firewalls exactly on same version. I have to upgrade Firewalls at least to Jumbo Hotfix Take 65. Good if can go ahead with individual Open Servers one by one but not at once "since you had mentioned above in point 4 - all Management machines to have the same JHF take".

With respect to point no 4 and my organizations Checkpoint environment(pics attached). I have MDS and have around 10 domains in it. But we also have individual Domain Management Servers(Open Sever) in each Domain apart from Gateway and twin Cluster members(2nd Pic).

Now my question is with respect to point 4 - Can I target individual domains ''one by one" and update HF of cluster members and its individual Domain Management Servers(Open Sever) in each Domains to Take 65 ?

And not ALL Management Servers in one go as, the 4th point states that all management machine need to be on same JHF take?

MDS with multiple Domains1.png

CP Multi-Domain Server with Firewall Cluster.PNG

Thanks

MVS 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-07-03 05:02 AM
In response to MVS_VF
Jump to solution

Do you know that you have posted a reply to a post that is 5 years old ? Did you expect any answer ?

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tomer_Noy
Employee
Employee
‎2024-07-03 05:18 AM
In response to G_W_Albrecht
Jump to solution

Both @Eran_Habad and myself are still in Check Point 😀
(different positions though)

So it's fine, and we'll be happy to answer.

Tomer_Noy
Employee
Employee
‎2024-07-03 05:25 AM
In response to MVS_VF
Jump to solution

The gateways / clusters can be updated to a new JHF gradually without any dependency on updating the Management / MDS.

You can have gateways / clusters with different JHF builds between different domains, and even within the same domain.
You can have different JHF builds for the gateways and for the Management.

The comment about having the same JHF is only for the Management MDS & MLM machines. If you have multiple MDM servers, you need to have the same JHF build on them.

I hope this clarifies things.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2025-02-28 03:32 AM
In response to Tomer_Noy
Jump to solution

Hello Tomer,

about 

The comment about having the same JHF is only for the Management MDS & MLM machines. If you have multiple MDM servers, you need to have the same JHF build on them.

so if have 1 MDM and 1 MLM and 1 SmartEvent, i need to upgrade all of them to same JHF ? any problem if i upgrade only one of them? 

 
0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-28 09:07 AM
In response to CheckPointerXL
Jump to solution

Ideally they should all be on the same JHF level.
Whether there are actual problems if they’re not will depend on the nature of the fixes included.

0 Kudos
Tomer_Noy
Employee
Employee
‎2025-03-01 10:34 PM
In response to CheckPointerXL
Jump to solution

It's indeed recommended to have the same JHF take on all Management machines. With MDS and MLM, it's important because having different JHF takes will not allow synchronization (HA) between machines, including the system domain (which exists on both MDSs and MLMs). Since updating JHF is not instantaneous, you can get by without sync for a short while and the machines will be operational (receive logs, ...), but it's not a healthy state for a long duration.

SmartEvent machines are a bit more flexible and usually will be OK on a different JHF level. That said, it's possible that a certain fix will be important to align on SmartEvent as well, so it's not a general guideline that will always work.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2025-03-03 12:28 AM
In response to Tomer_Noy
Jump to solution

Hi Tomer,

thank you very much for your feedback

I always suspected that some kind of HA stuff happens between MDS and MLM; i was pretty sure about same JHF between two MDS in HA, but not 100% sure for MLM also.

Anyway i think this kind of information should be written in some sk/faq page

thank you again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events