PDA

View Full Version : Check Point R76



PhoneBoy
2013-02-24, 21:23
There's a lot of stuff in this release. Especially around IPv6 :)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91140

David.Baldwin
2013-02-25, 09:54
From the link:

Monitoring: Netflow service support to collect data on traffic patterns and volume

A quick look through the documentation package and release notes did not turn up anything about Netflow.

Where might I find out more info??

Carsten
2013-02-25, 14:37
Actually it does say Netflow is supportet.

RayPesek
2013-02-25, 22:53
There's a lot of stuff in this release. Especially around IPv6 :)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91140

Do you have any insight on how R76 compares to R75.46 patch-wise? Generally when they are released this close, the higher version one is further behind.

Thanks,

Ray

PhoneBoy
2013-02-26, 01:04
Not all the R75.46 patches are in R76. I don't have an exact list. You also can't manage R75.46 from R76. This will be addressed in R76.10.

cciesec2006
2013-02-26, 06:29
Not all the R75.46 patches are in R76. I don't have an exact list. You also can't manage R75.46 from R76. This will be addressed in R76.10.

This is really messed up. According to the released notes:

You can upgrade these Security Management Server and Security Gateway versions to R76:
R71.50
R75 , R75.10, R75.20, R75.30, R75.40, R75.45, R75.40VS

In other words, you can NOT upgrade from R75.46 to R76.

Nice works.

RayPesek
2013-02-27, 19:47
In other words, you can NOT upgrade from R75.46 to R76.

I'm sure you left off "yet" at the end of your response.

alienbaby
2013-02-27, 23:43
I'm sure you left off "yet" at the end of your response.

Nope. Thats the way it will remain. You'll likely be able to go from R75.46 to R76.10 or something like that..

RayPesek
2013-02-28, 07:18
Sorry for my imprecise wording. That is what I meant. If R75.46 has some newer pieces-parts it would in some respects be a downgrade. I think this happened in a previous version as well and it certainly is not an uncommon practice. When I do my next Websense upgrade, I need to back out at least one patch before the upgrade can continue.

I do like the way Imperva does their gateway upgrades, though. They seem to lay down the new version in its entirety using a temporary root folder name, migrate the configuration from the old to the new, delete the old and then rename the new. You can tell some of them came from Check Point: centralized and very capable management and 99.9% of the gateway's configuration is stored on the management server. Websense by contrast is a mess: must upgrade devices and software components in a very particular order, must big-bang the upgrade by upgrading 100% of the components or it doesn't work, different backup methods for each subsystem, and it seems to be fragile. At least the desktop agents only go into read-only mode if not upgraded instead of stopping working. You don't dare do a rapid upgrade to a new patch or release until you've let the more foolhardy people report the problems.

Ray

ericgearhart
2013-03-02, 17:47
From the link:


A quick look through the documentation package and release notes did not turn up anything about Netflow.

Where might I find out more info??

On the Gaia web management UI there is Netflow support in R76... I threw up a VM running R76 at work just to play with it. I haven't pointed the gateway at my SIEM netflow collector yet to test, but I assure you netflow is in the web UI. You simply add netflow destinations and I'm assuming it'll start pushing out netflow data.

PhoneBoy
2013-03-02, 20:11
To correct and clarify a couple of things:

1. R76 can manage R75.46 (this was verified and the release notes have been updated).
2. The path from R75.46 is expected to be R76.10

cciesec2006
2013-03-02, 22:08
To correct and clarify a couple of things:

1. R76 can manage R75.46 (this was verified and the release notes have been updated).
2. The path from R75.46 is expected to be R76.10

Hi PhoneBoy,

I just upgrade my box to R75.46 one day prior to Checkpoint release R76. Therefore, I can NOT upgrade my P-1 to R76 :-(

When will checkpoint expect to release R76.10 for poor guy like me?

PhoneBoy
2013-03-03, 01:47
Work is already underway on R76.10 and the goal is to not let too much time go between R76 and R76.10. Beyond that, I can't get into specifics. :)

Carsten
2013-03-03, 04:20
I think most companies will not use any Rxx version without a following dot anyway.
Even if there was a test period, every first release has bugs.
The following releases will have bugs, too, but hopefully the worst will be fixed with the .10 releases.

Personally I am most interested in what Check Point did regarding Identity Awareness, like if cross CMA identity sharing out of the box is possible now, or mixing users from different AD domains in one group.

alienbaby
2013-03-06, 14:53
Awesome.. We're turning this thread into 'the feature we are most waiting for'..

My Wishlist

1. Inbound/outbound Zones; CheckPoint has dozens, if not hundreds of RFEs for this feature
2. Merging of Application Control, Geo Protection, URL filtering etc into the Security Policy tab.
3. Elimination of use_largest_subnet behavior in VPN topology
4. Multiple Read/Write administrators in the same CMA/SCS at the same time; been asking for that one for a decade; Messagebus based architecture in my skull; somebody from CheckPoint just ask
5. Make SecureClient/SecuRemote office mode functionality free.
6. Anti-spoofing takes configuration from gateway's routing table; Refer to previous posts
7. Allow colon character (IPv6) in object name; maybe R76 does this, haven't fired it up yet.
8. Per gateway encryption domains for each VPN community
9. Optional FPGA for IPS and/or Application Control and/or VPN offload and/or SecureXL and/or SSL decryption ..........
10. Gateway transmits syslog to syslog server (maybe per rule), in additional to normal logging to CMA/CLM/SCS
11. Control/configure routing table using Cluster/gateway object, instead of direct OS configuration
12. Break up code and configuration into separate directory trees.
13. CLI commands for listing/creating/deleting/changing objects
14. Human readable debug for VPN.
15. Merge VPN Tunnelutil functions into SmartView Monitor
16. Sub-Policies.
17. Limit specific Administrators to specific policies/tabs


I've got dozens and dozens more..

peter42
2013-03-11, 04:50
For those who haven't noticed already, CP removed the last Solaris support with R76.

PhoneBoy
2013-03-20, 09:35
Solaris support was also not present in R75.40VS either. Then again, lack of Solaris support going forward was something we announced a bit ago, I believe.

Meanwhile, the Gaia Admin Guide for R76 now contains proper documentation about Netflows (it did not previously): Check Point Software Technologies: Download Center (http://supportcontent.checkpoint.com/documentation_download?ID=22928)