Check Point R80.30 with Gaia 3.10

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk152652
Technical Level
Product	Data Center Security Appliances, Enterprise Appliances, Security Gateway, CloudGuard Gateway
Version	R80.30
OS	Gaia
Platform / Model	16000, 26000, Open Server, VMWare ESX, 23000, 3000, 6000
Date Created	04-Jul-2019
Last Modified	13-Feb-2020

Solution

Table of Contents:

Introduction
Key Features
Supported Platforms
Downloads
Resolved Issues
Known Limitations
Documentation

Introduction

R80.30, part of the Check Point Infinity architecture, delivers the most innovative and effective security that keeps our customers protected against large scale, fifth generation cyber threats.

This release introduces R80.30 3.10 for Security Gateway and VSX, with major enhancements in firewall resiliency and Clustering mechanism.

This release is considered as a Main Train release, however it is not part of the Check Point R80.30 Release and requires a dedicated image. Note it can be managed by a Check Point R80.30 Security Management Server, which already supports the 3.10 kernel.

Starting August 2019 this release will be supported by a Jumbo Hotfix Accumulator release for both R80.30 3.10 and standard R80.30 versions.

R80.30 3.10 can be managed by the following Security Management Server releases:

R80.30
R80.20 with a supported Jumbo Hotfix Accumulator
R80.10 with a supported Jumbo Hotfix Accumulator (will be available soon)

Contact Check Point Support to obtain a special Hotfix for R80.10 and R80.20 based on your current Jumbo Hotfix Take.

Key Features

Improved firewall resiliency
Support for IPv6 (resolving R80.20 3.10 limitations)
Support for Dynamic CLI - Enhancing Gaia Clish with new Expert mode commands. See sk144112.
Clustering and VSX capabilities:
- Unicast support for Cluster Control Protocol eliminating the need for CCP using Broadcast or Multicast modes
- MAC magic configuration is no longer needed
- CCP encryption is enables by default
New kernel capabilities:
- Upgraded Linux kernel
- New partitioning system (gpt):
  - Supports more than 2TB physical/logical drives
- Faster file system (xfs)
- Supporting larger system storage (up to 48TB tested)
- I/O related performance improvements
- Multi-Queue (see sk153373):
  - Full Gaia Clish support for Multi-Queue commands
  - Automatic "on by default" configuration
- SMB v2/3 mount support in Mobile Access blade
- Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
- Support of new system tools for debugging, monitoring and configuring the system:
  - iotop (provides I/O runtime stats)
  - lshw (provides detailed information about all HW)
  - lsusb (provides information about all devices connected to USB)
  - lsscsi (provides information about storage)
  - ps (new version, more counters)
  - psmisc (new version, more counters)
  - top (new version, more counters)
  - iostat (new version, more counters
New glibc: glibc-2.17-157
New ethtool: ethtool-4.8-7
New Bash: bash-4.2.46-29
lbzip2 support (free, multi-threaded compression utility)
xz support
rsync support

Supported Platforms

Product	Details
3600 appliances	Refer to sk110052.
6200, 6600, 6900 appliances	Refer to sk139932.
16000 and 26000 appliances	26000/26000T, 16000/16000T
23000 appliances	23500, 23800, 23900
CloudGuard	VMWare KVM Hyper-V AHV AWS Azure Google Cloud Platform
Open Servers	Refer to the Hardware Compatibility List.

Downloads

	Take #	Date	Clean Install	CPUSE Upgrade
26000/26000T, 16000/16000T 23500, 23800, 23900 CloudGuard Open Servers	Take 300	23 September 2019	(ISO)	(TGZ)
6200, 6600, 6900 3600	47	13 January 2020	(ISO)	N/A

Also see sk153152 - Jumbo Hotfix Accumulator for R80.30 (R80_30_jumbo_hf)

Note: Starting from Take 50 of R80.30 Jumbo Hotfix Accumulator:

Each Jumbo Hotfix Take is based on Check Point R80.30 with Gaia OS 2.6.18 GA Take 200 or Check Point R80.30 with Gaia OS 3.10 (R80.30 3.10) GA Take 273.
Each Jumbo Hotfix Take supports all R80.30 3.10 platforms and can be installed on CloudGuard IaaS products AWS, Azure, GCP.

Resolved Issues

R80.30 with Gaia 3.10 Take 300
ID	Description
GAIA-6457	In a rare scenario, memory leak appears when sending fragmented Multicast traffic
GAIA-5914	Drop templates are not disabled for USFW (User space Firewall mode).
GAIA-6172	In some scenarios, a new hotfix installation via CPUSE fails on VSX. Refer to sk159713.
GAIA-5883	In rare scenario, when configured as a proxy/ICAP client, a Security gateway may crash when using HTTPS Policy Categorization.
GAIA-6397	In some scenarios, traffic does not pass in VSX setup with VS-VSW-VS topology and some Threat prevention blades enabled on VSs.
GAIA-6324	In some scenarios, sending IP fragmented traffic through a Virtual Switch or Virtual Router fails with "Virtual defragmentation error".
GAIA-6325, PMTR-39660	In a rare scenario, when SecureXL is enabled, a VSX gateway may crash. Refer to sk160912.
GAIA-6260, STRM-149	In some scenarios, a remote client disconnects after one hour although the session is not idle. Refer to sk160213.
GAIA-6383	Improved scalability and resiliency of URL Filtering service.
PRHF-4499, PRHF-3608	On cluster, Drop templates are disabled on reboot. Refer to sk153412.

Known Limitations

ID	Description
-	Stand-Alone deployment is not supported.
-	Connеctivity upgrade is not supported.
GAIA-3380	The 'raid_diagnostic' utility does not work for open servers.
GAIA-2649	On CloudGuard for AWS, the 'ethtool -G' command is not supported.
GAIA-2648	On CloudGuard for Azure, the 'ethtool -G' command is not supported.
GAIA-2650	On CloudGuard for AWS, speed and duplex information is not available when using the ethtool.
GAIA-3205	Cannot change interface link speed to 1000MB after it is changed to 100MB.
GAIA-3180	On HP Open servers with onboard NIC, Interface status in the switch might show as "Connected" even though the state in Gaia is "off".
GAIA-3345	Changing the MTU on the directly connected switches may cause drops of fragmented traffic due to a MTU mismatch.
ACCL-417	The following were removed: CPView Network -> Top-Protocols and Network -> Top-Connections tabs.
GAIA-3957, GAIA-3944	When running the Hardware Diagnostic options of the RMA tool, "ipsctl_get_family_id:received error" messages may appear. These error messages can be safely ignored.
GAIA-3490	10GbE i40e NICs determine their link-speed based on the type of connected transceiver (1G ot 10G) and cannot be changed manually.
GAIA-4937	Installing R80.20, R80.20.M2 and R80.30 Security Management Server with CPUSE or Blink on a machine previously installed as a R80.30 Security Gateway that uses the Linux Kernel version 3.10 is not supported. Instead, it is possible to perform a clean install using an ISO file.
GAIA-4849	OSPF is not supported with unnumbered VTIs.
GAIA-5914	Drop templates are not disabled for USFW (User space Firewall mode). Fixed in R80.30 with Gaia 3.10 Take 300
GAIA-6184	"Error while stopping check point processes" error when installing packages on a VSX environment.
GAIA-4573	Upgrade is only supported between kernel 3.10 versions (R80.20 3.10 and R80.30 3.10)
GAIA-6992	CPUSE Clean install is not supported for 23000 appliances.
GAIA-5737	Duplicate ping messages may appear when configuring bonding groups (~30 sec), one over the X722 based network interfaces and the other on Intel X710 Based network interfaces.
GAIA-5732, PRJ-2583	The fw ctl multik utilize command is not supported in the User Mode Firewall (USFW).

Documentation

Administration Guides

R80.30 3.10 Release Notes