Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Amir_Ayalon
Employee
Employee

R81.10.00 for Quantum spark 1500\1600\1800 Appliances - GA

We are happy to announce the release of R81.10 for Quantum spark 1500\1600\1800 Appliances

 

With the release of our new Quantum Spark R81.10 version, Check Point introduces code alignment between our Quantum Spark product line with the Quantum R81.10 Security Gateway release.

This major Quantum Spark release adds many new capabilities, as well as a wide range of stability and performance improvements.

This release supports locally managed only (Local + SMP). Centrally managed is supported at EA level.

 

Enhancement and New Features (Locally Managed)

  • Improve and Simplify SSL inspection operation
    • Some network devices do not support installation of an SSL certificate, therefore making SSL inspection not possible.
    • When you use the gateway capability to automatically sense and identify network elements, you can now select on which network element SSL inspection is enabled.
    • Gateway administrators have full control on which network elements SSL inspection will operate:
      • Desktops and laptop are automatically selected, and other network devices can be easily added.
      • You can also select bypassing inspection on MacOS devices.
  • Smart Accel – (EA level)
    • Improves gateway performance by accelerating low risk traffic sources:
      • Video streaming (Netflix, YouTube, Spotify)
      • Well known corporate services (Microsoft, Google, Apple, Check Point Services)
      • Social Media services (Facebook, Tiktok)
      • Web Conferences (Skype, WebEx, Zoom)
  • Password Complexity
    • Set password complexity as high to harden the Gateway Admin Password
    • Password length, number of different characters, Password history, Password Expiration
  • Updatable objects and FQDN in the Rule Base
    • Use fully qualified domain name (FQDN) object in the Access Policy.
  • VoIP improvements
    • Enable bidirectional traffic with the SIP provider service when SIP traffic inspection is disabled.
  • VPN Monitoring
    • New information was added to the VPN tunnels monitoring page
  • Support Radius 2.0 server
  • FTP AV - Inspect FTP protocol by Anti-Virus Software Blade
  • ZScaler (VPN 3rd party) support
  • Mirror port
    • Allows duplicating all the traffic that goes through one or more LAN ports, into one of the other LAN ports.
  • TCPDump via WebUI
    • Additional capabilities for TCPdump tool. Includes additional filters, custom filter and RT output.

Notes:

  • The Quantum Spark R81.10 release is supported only on the new 1500\1600\1800 Series Security Gateways.
  • Embedded Gaia software inherits its code base from the R81.10 GA version of enterprise appliances. Therefore, although not specifically mentioned, the R81.10 Quantum Spark Gateways inherit all maintrain limitations (see sk170418).
  • As the majority of R&D efforts will now shift to R81.10 code base, we encourage our customers to start evaluating and migrating to the new code base
  • R80.20.xx code base for 1500\1600\1800 Series Security Gateways will continue to be supported, in the near future – with further releases, and in the medium term – with stability, performance and bug fixes only

 

For additional info, please refer to sk179004

29 Replies
G_W_Albrecht
Legend
Legend

No identity collector support yet ?

CCSE CCTE SMB Specialist
0 Kudos
Ruan_Kotze
Advisor

First thing that I noticed was lack of Identity Collector support:-(

Something else that is also not clear is whether central management is supported for Spark 1500's running R81.10.  Management release notes only mention 1600 and up.

0 Kudos
G_W_Albrecht
Legend
Legend

Look above:

This release supports locally managed only (Local + SMP). Centrally managed is supported at EA level.

CCSE CCTE SMB Specialist
Amir_Ayalon
Employee
Employee

Hi

1.Identity collector is supported for centrally managed appliances.

2.The firmware released support centrally managed, we just didn't have enough EA coverage , so it was released for the time being as EA.

To centrally managed R81.10.00 you will need MGMT R81.10 + JHF55 or R81.10 + JHF66, or R81.20

 

thanks 

Douglas_Chenjer
Contributor

The feedback a bit confusing, release notes says locally managed SMBs. So i cant test the new gaia embedded if my SMBs are centrally managed say on SMS with R81.10 or better (with latest HFA)????

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, you can - write a personal note to @Amir_Ayalon !

CCSE CCTE SMB Specialist
0 Kudos
Douglas_Chenjer
Contributor

Have you tested this already?. Putting R81.10.10 on an SMB which is Centrally managed?

0 Kudos
G_W_Albrecht
Legend
Legend

No - i only have one 1500, locally managed and in production, so no way...

CCSE CCTE SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

What is R81.10 JHF 5 ? I only know of

 

CCSE CCTE SMB Specialist
0 Kudos
Amir_Ayalon
Employee
Employee

Yes,

sorry for the confusion.

you are correct.

you need MT R81.10 JHF take 66 that supports LSM+SMC

MT R81.10 JHF take 55 supports only SMC

0 Kudos
Amir_Ayalon
Employee
Employee

Identity collector is supported for centrally managed appliances.

0 Kudos
cgubesch
Participant

Hey @Amir_Ayalon,

we are trying to test R81.10.00 Centrally Managed and we are facing some issues.
Maybe you could help us out.
We have 2x1600 SMB Appliances and have set them up as a cluster with R80.20.35
We are trying to upgrade the cluster to R81.10.00 but we are unable to install the policy via the management afterwards.
we got the following error:

Teams_Q77QkpdkIl.png

We run our security management server on R81.10 JHF66 and changed the version of our 1600 SMB Cluster Object to R1.10. 
Another strange thing that we noticed during troubleshooting: We rebooted our appliances with R81.10.00 installed and after the reboot the version reverted to R80.20.35 again.

Are you or anyone here familiar with those issues? (Or can someone help with the EA deployment of centrally managed SMB Appliances?)
Help is much appreciated. 

0 Kudos
Chris_Atkinson
Employee
Employee

Typo?

Management should be R81.10 JHF T55 or higher to manage the 1600 upgraded to R81.10.00 (currently this is EA status)

Does the issue persists if you resolve the issue with the rules using time objects?

0 Kudos
cgubesch
Participant

yes typo sorry my bad.

I meant R81.10 JHF66..

I am not sure what issue you are refering to with the time objects. Can xou clarify? 

 

0 Kudos
Chris_Atkinson
Employee
Employee

The error message you posted shows a warning about time objects amongst other things.

0 Kudos
MikeH
Explorer

Are you running the EA code?  Central management is not supported in this GA release.

"This release supports locally managed only (Local + SMP). Centrally managed is supported at EA level."

See sk179004

0 Kudos
cgubesch
Participant

Do I need another software package for the EA features? I only found the one from the official sk and assumed that it includes the EA features for the central management.

Please clarify.

Thanks in advance

0 Kudos
Amir_Ayalon
Employee
Employee

Hi

no, the same firmware (r81.10.00) that was released support both locally and centrally managed,

we simply decided to GA only locally as we didn't have enough EA coverage for centrally managed.

QA coverage is the same for both locally and centrally managed.

 

 

Greg_Harbers
Contributor

Hi Amir,

Do you have a feel for when R81.10 may be GA for centrally managed? is it likely to be days/weeks/months?

Thanks

0 Kudos
G_W_Albrecht
Legend
Legend

Depends on the number of customers that try this version and report any issue to CP. Kind of egg / hen problem 😎

CCSE CCTE SMB Specialist
0 Kudos
Amir_Ayalon
Employee
Employee

Hi,

As i remember there was a bug in JHF 55 that you can't upgrade SMB cluster (R81.10.00). you need to manually upgrade each member.

this bug was resolved in JHF 66 .

if this is what you encounter in JHF 66 - please drop me an email. amiray@checkpoint.com

0 Kudos
Steffen_Appel
Advisor

Hi,

we have a similar issue with a single 1530 GW on 81.10.00, the installation fails with Error Code: 0-2-20000025.

 

 

0 Kudos
cgubesch
Participant

@Amir_Ayalon @Chris_Atkinson 
Hey guys, we performed some additional troubleshooting with our policies.
And it turns out that Zone Objects are causing the troubles when installing the objects on the gateways.

So for example we are getting the error if we have a Zone Object in the Policy which is not defined on our 1600 Gateways. (Even tough the 1600 gateways are not defined as installation targets. 
So we think somehow that during policy compilation installation targets are not being considered. 
Our Policy is strongly depending on Zones and Inline Layers combined with Security Zones.

Unfortunately it seems like that exactly that is causing our policy installation problems on the SMB appliances.

I guess there are still some issues in the new codebase with inline layers and zones.
How should we proceed? Can we get some EA support? Or should we open a Support case? 
What do you recommend?

Thanks in advance for the help.

0 Kudos
Amir_Ayalon
Employee
Employee

Hi cgubesch

thanks for the RS yesterday.

the way to proceed is to open an SR and say R&D ask for a Task.

in order to proceed we will need from you the management backup (we tried to replicate today you scenario , but it wasn't replicate)

please collect database backup from management server and include in the SR.

The steps are very simple,

 

For SMS deployments:

  1. Collect management server database:

# cd $FWDIR/bin/upgrade_tools

# ./migrate export <name of the file>

  1. Collect additional information:

# cpinfo -z -o /var/log/tmp/<name_of_the_file>.info 

 

 

For MDS deployments:

  1. Collect MDS database:

# mds_backup -l -d /var/log/

  1. Collect additional info to have an idea about configuration, addresses, fixes etc.:

# cpinfo -y all

# mdsstat

# ifconfig

# df -h

 

0 Kudos
Nik_Bloemers
Collaborator

In general this is an issue I think. The same rings true for Identity Awareness for example. You can't install a policy with inline layers that use Access Roles, even if the gateway without the IA blade enabled is not in the install target for that inline layer.

0 Kudos
Douglas_Chenjer
Contributor

Kindly share the R81.10.10 Gaia embedded firmware for customers who use the SMBs in a Centrally Managed setup. Seems the posts are more related to locally managed and not clear regarding Centrally managed

0 Kudos
cgubesch
Participant

@Douglas_Chenjer is there a R81.10.10 version?

And if so? How can I get my hands on it 🙂

0 Kudos
G_W_Albrecht
Legend
Legend

Currently, only R81.10.00 Gaia embedded firmware is available. It works with SMBs managed locally, from SMP or Centrally.

CCSE CCTE SMB Specialist
0 Kudos
Amir_Ayalon
Employee
Employee

0 Kudos