CP Gossip – Releases, routing, IA, bugs

OK so assume this is Dear Abby or a gossip column. So verify everything I say.

1) R75.20 and up has been a bug ridden disaster. Too many features jammed into too little time with too little QA. Make sure the Abra stick works with the DLP on 64bit GAIA on the new appliances with the new VSX Firewall architecture integrated with SmartWorkflow and the GRC blade with AntiSpam and AntiBot but don’t forget that technical gem licensing system which barely functions and blah blah blah, etc. The code is turning into feature based spaghetti. god bless those support people.

In January 2014 CP will go back to QA based releases vs marketing/feature releases. Hopefully old reliable steady solid product days are ahead of us.

2) Routing is working better but still broken in cluster environments. Make sure you ask for the latest patches. Basically if you don’t care if it takes a while to re-populate routes on failover or upgrades, then no problem. But if you have a 24×7 HA requirements, then you should wait. I hear rumors that the clustering people are finally having lunch with the routing people and talking.

My opinion is clustering and routing should use 1 set of commands and be seamless between them. cphastop should do a drouter stop and vice versa. And you shouldn’t have to manually load routing tables to do a full connectivity upgrade.  It should all be baked into cphastop…period.enough said.

3) Identity Awareness: In large environments….issues with talking to large number DCs. I will write something up next. Stay tuned. Lots of patches here also.

4) I’ve got several customers reporting that their R75.40 -> R76 clusters are randomly seizing and failing over but statefuly. Long term state protocols like FTP are failing. I have also seen this. Seems to be on high use connection systems, but even when the box is 90% idle but has lots of connections. Not good. Not sure if this is getting visibility in CP.

4) GAIA Radius into /bin/bash: Hey they finally! allow non-local users to go into a /bin/bash shell! They fixed it.

So the good news is its getting better its just going to take some time.

cpstop,

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: