Check Point appliances refresh: how do you compare?
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.This article reports on indeni Insight data showing that Check Point 2012 and newer appliances now account for almost three quarters of firewalls monitored, a substantial increase from under half ten months earlier, reflecting an ongoing appliance refresh trend. It discusses how organizations commonly use the summer months to perform hardware and software upgrades because approvals and maintenance windows are easier to obtain before holiday change freezes. The piece emphasizes that Check Point recommends full rebuilds when upgrading firewalls (even for software-only upgrades), warns of configuration drift risks such as missing routes or kernel parameter changes, and advises thorough testing pre- and post-deployment.
What evidence does the article provide that Check Point appliance upgrades are accelerating?
The article cites indeni Insight telemetry which shows that 2012 and later Check Point appliances now represent almost three quarters of the firewalls the service is connected to, compared with less than half ten months earlier (referencing a prior September report). This shift demonstrates a significant move toward newer appliances across the user base. The article also notes that many organizations take advantage of the summer period to complete hardware and software upgrades, contributing to the faster refresh cycle.
Why does the article recommend performing a full rebuild when upgrading a Check Point firewall instead of restoring a backup?
According to the article, Check Point’s recommended upgrade method is a complete rebuild even for software-only upgrades because most critical configurations, particularly the security policy, reside on the management server rather than the appliance. Rebuilding avoids issues that can arise from direct restore operations, but the article warns that rebuilds can still introduce problems such as missing routes, altered kernel parameters, or lost SecureXL settings. Therefore, thorough testing before and after putting rebuilt appliances into production is advised.
What operational timing and risks should organizations consider when planning Check Point appliance refreshes?
The article observes that organizations often schedule upgrades in the summer when maintenance windows and executive approvals are easier to secure and before holiday change freezes. It also highlights operational risks associated with the rebuild upgrade approach: configurations can change unexpectedly (for example routes, kernel parameters, and SecureXL settings might be lost). The recommendation is to test extensively both prior to and after deployment and to be mindful that older appliances in the field generally remain supported until April 2017, giving teams time to plan upgrades carefully.
We often get asked if we have data pertaining to the upgrade processes and cycles of Check Point users around the world. The short answer is, YES. The longer one, is that thanks to our indeni Insight service we get a deep view into the Check Point firewall user base. Once in a while, we publicly share the findings we’ve come to based on that data, like we did last September.
Today we’ll take a look at the appliance refresh process across our user base. Apparently the 2012 (and later) appliances are gaining a stronger foothold with almost three quarters of the Check Point firewalls indeni is connected to being these newer appliances. This is in contrast to less than half, just 10 months ago (see the September report referenced above).
This is a pretty good ratio, considering most older appliances still have until April 2017 before they reach end of support.
In our daily conversations with Check Point customers (some, who are not indeni customers, yet) we see that summer-time is being utilized to complete hardware and software upgrades. It is usually a more relaxed time and easier for the higher ups to approve maintenance windows. It is also before the holiday season, a time of change freeze for most companies.
During this process, we suggest you keep in mind that the recommended way of upgrading a Check Point firewall is through a complete rebuild, even in the case of just a software upgrade. This is better than simply backing up the firewall configuration and restoring it. It is possible because most of the interesting configurations – the security policy – are actually stored on the management server.
However, this approach can also result in issues – routes that are missing, kernel parameters that are no longer set the way they should, SecureXL settings that have been lost, etc. So be extra careful and test things thoroughly before putting the new firewalls in production, as well as after. The list of top 10 issues people run into when working with Check Point firewalls can be found here.
Happy upgrading!
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.