Need a version roadmap with end-of-support dates and a simplification of the products

[RayPesek]

I gotta tell you, I am one confused individual about the NGX product line. We have R60 up to HFA04, we have R61 up to HFA01 (which includes R60 HFA04 but no VoIP fixes), we have R62, the equivalent of R60 HFA04, but no VoIP fixes and maybe or maybe not the R61 HFA01 fixes, we have Connectra R60 with HFA01, R61 with HFA01 and we have R62. Then we move into the SecureClient line, which was easy to understand until this Integrity SecureClient moniker came out.

So, is R60 the same as R61 the same as R62 the same as the forthcoming R63 in terms of support lifetime? Or does a higher "R" number mean a later end-of-life date? After a certain number of HFA's come out, can we expect a new "R" that incorporates all of the HFA's with a few new features, or what?

This "spaghetti code" of versions is concerning me a bit. If it's hard for us to keep up on what does what when, it seems logical that all sorts of regression errors are going to start popping up as well.

It's also a concern when trying to decide what to upgrade to and why. An HFA is pretty simple to understand and get approved. Version upgrades always raise a red flag.

Thanks for listening,

Ray

[BarryStiefel]

Quote:

Originally Posted by RayPesek

I gotta tell you, I am one confused individual about the NGX product line. We have R60 up to HFA04, we have R61 up to HFA01 (which includes R60 HFA04 but no VoIP fixes), we have R62, the equivalent of R60 HFA04, but no VoIP fixes and maybe or maybe not the R61 HFA01 fixes, we have Connectra R60 with HFA01, R61 with HFA01 and we have R62. Then we move into the SecureClient line, which was easy to understand until this Integrity SecureClient moniker came out.

So, is R60 the same as R61 the same as R62 the same as the forthcoming R63 in terms of support lifetime? Or does a higher "R" number mean a later end-of-life date? After a certain number of HFA's come out, can we expect a new "R" that incorporates all of the HFA's with a few new features, or what?

This "spaghetti code" of versions is concerning me a bit. If it's hard for us to keep up on what does what when, it seems logical that all sorts of regression errors are going to start popping up as well.

It's also a concern when trying to decide what to upgrade to and why. An HFA is pretty simple to understand and get approved. Version upgrades always raise a red flag.

Thanks for listening,

Ray

I'm with you on this, Ray. I'm frustrated by this also. I'm currently using R60 HFA-04 in my classroom because it seems to work and I keep hearing about problems with later versions and customers forced to do a complete re-install back to an earlier version.

I can't imagine there's anything other than some bizarre sales/marketing/revenue goal to motivate Check Point to do this. NGX has been out for a year already; I guess it's still not really ready for production. Paying customers should not each be forced to contribute thousands of dollars in labor costs towards Check Point's beta testing program.

[northlandboy]

Hear hear - and you're just covering versions, not all those stupid name changes. I still haven't figured all that out what precisely is the difference between UTM/Power/whatever and where each should be deployed. They don't seem to allow name changes to bed in - e.g. Express didn't seem to be around all that long.

sk32083 helps a little with HFA/version comparison, but still leaves questions - e.g. VoIP fixes.

But now if you look at the R61 HFA01 hotfix release notes, you realise that you also need to look at the R60 HFA 04 release notes, in order to work out the total list of things that have changed.

As for regressions....sigh....look at all the RTSP/hide NAT issues...multiple fixes across multiple code branches. And as for daylight savings, a simple issue that comes around twice year, regular as can be....there's just no excuses for the fact that they continue to fix then break this. You have no idea if a version is going to handle it or not. Just because the last version did, doesn't mean anything. Rather poor code management.

[RayPesek]

I think "UTM = Express" and "Power = Pro", but it seems odd if correct, because it would imply to a newcomer that Power does not have unified threat management.

It can't be a marketing thing, which is what I first thought, because there's no mention of specific versions in their marketing. I think it was chillyjim who said the new "R" number thing was to introduce new features in lieu of FP numbers, but it's still way confusing.

Barry, you're worrying me here. I was going to go the R55 -> R62 upgrade route but I don't have the downtime available for a couple of complete installs. Can you elaborate, maybe in a different section, what you've heard of?

Thanks,

Ray

[abusharif]

i'am running arround 20ish ngx r60 installation both in cluster and standalone. Yes without hotfixes you can encounter few strangish bugs but HFA_04 is stable imo. Smartdefense still doesnt have high status on my list (mildly expressed).

r61 and r62 i havent installed yet in production enviroment mostly because absence of voip hotfixes in those "higher" versions.

My recommendation, if u have to go ngx go r60 hfa_04 and stay there for a while.

[BarryStiefel]

Quote:

Originally Posted by RayPesek

I think "UTM = Express" and "Power = Pro", but it seems odd if correct, because it would imply to a newcomer that Power does not have unified threat management.

It can't be a marketing thing, which is what I first thought, because there's no mention of specific versions in their marketing. I think it was chillyjim who said the new "R" number thing was to introduce new features in lieu of FP numbers, but it's still way confusing.

Barry, you're worrying me here. I was going to go the R55 -> R62 upgrade route but I don't have the downtime available for a couple of complete installs. Can you elaborate, maybe in a different section, what you've heard of?

Thanks,

Ray

I had a student who wanted to upgrade from R60 to R61 and got multiple assurances from Check Point that R61 was stable and that he could always just roll back to R60 if the upgrade didn't work out. Both statements ended up being false. The upgrade wouldn't work and he couldn't roll back. Some of his functionality was down for days, and he had to do a complete reinstall of R60. He lost several thousand dollars in labor costs. There were even plane flights back and forth to Dallas, with Check Point offering free licenses/support contracts to try to repair the damage to the relationship.

I've heard from several other people now that:

1. The current version situation (R60, R61, R62, UTM, Power, etc.) is a complete mess. Nobody can answer the question "What's the current version" with less than a paragraph of explanation.

2. NGX still isn't stable, but R60 HFA-04 is the most stable.

3. Upgrades are problematic; fresh installs seem to work better.

Someday I'd like to introduce their marketing department to their software developers, because they've apparently never met.

Barry

[Acidio]

Interesting comments. My only knowledge of the difference between r60 and r61 is changes to management only. No changes were mode to the gateway components - whatever that means. This info came direct from a contact I have at Checkpoint.

As to the later releases/hfa's - I'm in the same camp as you. Very confusing and not at all reassuring.

My thoughts are they are trying to rush through tying in the "UTM" image/functionality as all vendors seem to be touting this. Not doing a great job however.

[RayPesek]

One thing that would help me in R61/R62 is the ability to read Connectra logs in a usable method. The web GUI that comes with it is, well, poor.

The VoIP fixes are really weird. I was considering going to R62 on the management server and R60 et al on the gateway since we're starting to deploy softphones for emergency use. Then I saw that the VoIP fixes must be installed on the gateway and on the SmartCenter, blowing that plan out of the water.

Ray

[Acidio]

Hi Ray,

silly question, (you'll probably say been there done that) but are you logging connectra into smart view tracker? And next question, what logging is it you're referring to - traffic, OS or something else.

just interested.

[RayPesek]

I'm on R55, so I cannot log Connectra in SmartviewTracker, but I need to for efficient log reviews.

I actually installed a VM and put R62's SmartCenter on it with the 15-day eval. When it expired, I used the key on the back of the R62 case to get a 30-day eval extension.

So now I have two SmartCenters, the real R55 one and the VM R62 one that I am using with Connectra R62.

On Dec. 16th I'll either be back to one SmartCenter or I'll have the R55 one on R61/62.

Did I answer your questions?

Ray

[Acidio]

Of course R55 doesn't do Connectra logging. What was I thinking - too many versions to keep up with!

We've got an R60 CP box doing the logging which works a treat. By the way, the license key on your media kit should give you two 30 day evals - well they used to.

[seanmac1904]

if you define you connectra as a checkpoint host in R55 it will log
establish the SIC and off you go

cheers

Sean

[chillyjim]

Are now posted on http://www.checkpoint.com/services/l...t_periods.html

[RayPesek]

Thanks, Sean! I will try that tomorrow if I remember.

Ray

[stextor]

I feel the need to weigh in on these comments as well. I've been through so many name / version changes that I don't touch the Mgt Srv / Enforcement points anymore. Other than for reading logs via Smartviewer (or is it Log Tracker or is it UserTracker or maybe etc...). I also will just push policies. I'm done with upgrades after this HFA_04 patch. I think that the Checkpoint needs to get their act together or risk losing many customers. And as far as their 'Knowledge Base' and overall support is concerned.. Let's just say I'm not a happy camper.:)

Regards
Steve