CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Version Confusion (HFA40 etc)

  1. #1
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Version Confusion (HFA40 etc)

    Not addressing what may or may not be broken just what was released...

    HFA-40 -- Hotfixes for VPN-1 Gateways (HFA4.0)

    R65.2.100 -- VoIP specific features for a gateway (AKA Andromeda)

    R65.4 -- HFA40 and a bunch of plug-ins for SmartCenter
    Connectra R66
    VSX R65
    VoIP
    SmartProvisioning (May or may not be production ready, I don't have
    A solid answer on this yet)
    Messaging Security (Anti-spam)

    R65.4 SmartConsole -- GUI for all of this

  2. #2
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    14

    Default Re: Version Confusion (HFA40 etc)

    Hi Jim,

    Appreicate the clarification, but let's dig a little deeper -

    HFA_40 - Includes SmartProvisioning and Endpoint Connect and some hotfixes. There's more features than fixes, and still missing a *lot* of fixes that for some reason CP doesn't seem interested in putting in a consolidated fix... I really wish this was just hotfixes...

    Doesn't support 2.6 kernels, multi-core/CoreXL, IPSO 6 or Power-1 Appliances with CoreXL. All of which look like HFA dead-ends until R70 comes out.

    R65.2.100 - As the numbering suggests, is built based around HFA_02, and does NOT support an upgrade path from anything above this, according to the release notes. Also requires a license that as yet has not been documented to turn on most of the features in the release. Yes, now we have to pay for some of VoIP, which I guarantee will turn licensing into a support problem, just like Messaging Security....

    R65.4 - Compilation of HFA_40, R65.2.100, Connectra R66, VSX Plugins and Messaging Security (which itself was part of HFA_30). Note plugins... these are a compatibility nightmare, and make migrations incredibly messy. I'd be terrified of any upgrade/downgrade/migrations that have this involved - the permutations are way too complex.


    To me, R65.4 looks a lot like what happened at the end of the R55 cycle, with R55W/P etc diverging from the main codebase and confusing the heck out of everyone who assumed that newer=better/recommended. It's *very* unclear whether R65.4 is yet another path that will diverge as far as HFAs are concerned, but there's certainly not a lot of good direction from Check Point as to what all these releases mean, and what we as users and partners should be looking to deploy.

  3. #3
    Join Date
    2008-09-02
    Location
    Luxembourg, Luxembourg
    Posts
    156
    Rep Power
    11

    Default Re: Version Confusion (HFA40 etc)

    Hi melipla,

    Endpoint Connect is the forthcoming Checkpoint unified client. From my understanding, it is some successor to Secureclient with many NAC / encryption features to provide a full "endpoint" security package.

    We're currently beta-testing this stuff. Pretty powerful but far from being stable

  4. #4
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: Version Confusion (HFA40 etc)

    Endpoint Connect has been available on Connectra for about a year now. It is a lighter-weight IPSec client with the ability to run an endpoint scan ala ICS/ESoD. The "Intent" is to focus development efforts here instead of SecureClient (With it's firewall/enforcement features being superseded by Secure Access (Integrity)).

    Personally I like it better than SC. It seems faster. I have not figured out how to manage it on VPN-1 R65_HFA40 yet though.

  5. #5
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: Version Confusion (HFA40 etc)

    This is my understanding and by no means official (though I will try to find an official answer)

    Quote Originally Posted by Thorpuse View Post
    HFA_40 - Includes SmartProvisioning and Endpoint Connect and some hotfixes. There's more features than fixes, and still missing a *lot* of fixes that for some reason CP doesn't seem interested in putting in a consolidated fix... I really wish this was just hotfixes...
    Yes this is more like a "Feature Pack" than what we've been seeing as an HFA. Most (maybe all) the "add-ons" were available in special builds.

    Doesn't support 2.6 kernels, multi-core/CoreXL, IPSO 6 or Power-1 Appliances with CoreXL. All of which look like HFA dead-ends until R70 comes out.
    Yup you are right as far as I can tell. R70 FWIW is SPLAT 2.6.


    R65.2.100 - As the numbering suggests, is built based around HFA_02, and does NOT support an upgrade path from anything above this, according to the release notes. Also requires a license that as yet has not been documented to turn on most of the features in the release. Yes, now we have to pay for some of VoIP, which I guarantee will turn licensing into a support problem, just like Messaging Security....

    AFAIK just the "new" features of the VoIP gateway will require a different license, but no there is no information in the field as of yet.


    R65.4 - Compilation of HFA_40, R65.2.100, Connectra R66, VSX Plugins and Messaging Security (which itself was part of HFA_30). Note plugins... these are a compatibility nightmare, and make migrations incredibly messy. I'd be terrified of any upgrade/downgrade/migrations that have this involved - the permutations are way too complex.

    R65.3 and now R65.4 also is designed to fix some of the plug-in mess we got into early on. The idea from the beginning was for plug-ins to be released and then rolled up in a HFA like manor.


    To me, R65.4 looks a lot like what happened at the end of the R55 cycle, with R55W/P etc diverging from the main codebase and confusing the heck out of everyone who assumed that newer=better/recommended. It's *very* unclear whether R65.4 is yet another path that will diverge as far as HFAs are concerned, but there's certainly not a lot of good direction from Check Point as to what all these releases mean, and what we as users and partners should be looking to deploy.
    R65.4 is trying to pull in all the divergent code-bases so we don't end up with the R55/w/p/R56 mess just before R70 is released.

    As for R65.4 is HFA40 for Management with the plug-in rollup. HFA50, etc will be supported on it.

  6. #6
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    14

    Default Re: Version Confusion (HFA40 etc)

    Quote Originally Posted by chillyjim View Post
    Endpoint Connect has been available on Connectra for about a year now. It is a lighter-weight IPSec client with the ability to run an endpoint scan ala ICS/ESoD. The "Intent" is to focus development efforts here instead of SecureClient (With it's firewall/enforcement features being superseded by Secure Access (Integrity)).

    Personally I like it better than SC. It seems faster. I have not figured out how to manage it on VPN-1 R65_HFA40 yet though.
    There's a document in SecureKnowledge that is supposed to explaint the integration in HFA_40 (Endpoint Connect R65.4 Admin Guide) but it has its privilege level set so that I can't download it. Maybe a CP employee would have more luck....

  7. #7
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: Version Confusion (HFA40 etc)

    Quote Originally Posted by Thorpuse View Post
    There's a document in SecureKnowledge that is supposed to explaint the integration in HFA_40 (Endpoint Connect R65.4 Admin Guide) but it has its privilege level set so that I can't download it. Maybe a CP employee would have more luck....
    Give me the SK# and I'll see. The one I found made the admin guide look useful :)

  8. #8
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    14

    Default Re: Version Confusion (HFA40 etc)

    The link has been fixed now, doc ID 8631.

Similar Threads

  1. SmartDefense vs. IPS vs. IPS-S1 - naming confusion
    By cryptochrome in forum IPS Blade (Formerly SmartDefense)
    Replies: 20
    Last Post: 2010-04-16, 07:08
  2. Licensing confusion. Please help
    By cciesec2006 in forum Licensing
    Replies: 1
    Last Post: 2010-02-22, 03:07
  3. Replies: 3
    Last Post: 2008-11-11, 14:28
  4. VPN-1 UTM EDGE Licensing Confusion
    By k0rruptuk in forum Check Point UTM-1 Edge Appliances
    Replies: 5
    Last Post: 2008-06-30, 10:47
  5. Confusion over new UTM products
    By fdamstra in forum Licensing
    Replies: 6
    Last Post: 2006-06-20, 07:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •