I have R80.10 mgmt and think it’s pretty slick. But I’m very hesitant about the gw. Where in the infrastructure would you recommend implementing R80.10 gw’s? What about spec considerations?
R80.10 has some nice improvements:
Improvements for the new way of collecting identities using Identity Awareness.
IPSec VPN can use multiple cores
Better port usage when many users are using hide-NAT.
These are not the only enhancements, and you can read the release notes here: http://dl3.checkpoint.com/paid/56/5649cd2cfae97e742adf544ac0bf5c61/CP_R80.10_ReleaseNotes.pdf?HashKey=1505031653_c73135bb203a3d419702ff81bed599d7&xtn=.pdf
I would put the R80.10 gateways in the same place as the previous versions.
Regarding specs, if you have gateways only processing IPSec VPN tunnels, you could now make do with a lower speced machine, since it can now use all cores for this.
I've been talking to a guy running r80.10 and he says he has run into a lot of bugs. I would hold off on this version until it gets cleaned up and improved.
I have seen issues with gateway CP processes and failed communication to the managment server forcing reboots to push policy.
Just came across a report from Insight about this so thought I'd share:
2.6% of the Check Point devices reporting data via Indeni Insight are running R80.10, vs 62% running R77.30. So there's no doubt it's still in early stages of rollout across customers.
Plain and simple, R80.x is the way to go for management, but that is it. I would avoid upgrading gw's to the newest. I say this not due to bugs as others cite, but there are no real differentiating benefits from r77.30 (if that is where you are upgrading from).
Spec considerations is a big deal. We see in the field many times that management appliances, those designed to manage complex environments are being bogged down due to low memory. Many organizations have to upgrade their hardware just to upgrade to R80.10 for management, and the same can be said for the gateways.
R80.20 will bring complete optimizations of management, gateways, cloud and end point. New things are right around the corner, so if upgrading at all, I'd wait until 80.20.
Update: a month later and 4.5% of CHKP devices in Indeni Insight are running R80.10.
One reason to consider upgrading on the gateway side is the eventual retirement of R77.30 from a support perspective.
Of course, I know people still run R65 (or earlier) in production still, so that's probably not enough motivation for some.
Another few months have passed and R80.x based devices are becoming more common. We’re at 12.2% now!
Someone made a valid point to me today: R80.10 is a release that is mostly targeting management functionality. It makes sense to expect customers upgrading their management servers and waiting with upgrading their gateways until there’s a release with considerable more gateway-focused functionality.
So, ran the query on our trusty Indeni Insight. 41.6% of the Check Point management devices Indeni is currently connected to are running R80 or R80.10.
How Customers Use Check Point Firewalls Around the Globe
For those tracking this thread - R80.20 was just released and packs a whole bunch of performance improvements. Worth taking a look: