Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Check Point R80.20 Demo TechTalk and Q&A

In this session, Tomer Sole‌ and Valeri Loukine‌ discuss and demonstrate R80.20: both the "M1" version that is already released, and the upcoming R80.20 that will also include gateways.

Recording of the video is below and available to CheckMates members.

Note: During the session, we received a significant number of questions (over 200!).

We will provide answers as comments to this post in the coming days.

Video Link : 6546

Download: R80.20 and R80.20.M1 Demo

Some links Tomer Sole‌ showed during the talk:

4 Replies
PhoneBoy
Admin
Admin

Some of the questions asked (and answers):

When policy push is in process another, can another user also push policy?

No, only one policy push can occur at a time currently.

Nobody wants to install add-ons, for instance in R80.10 we have to install the log exporter and auto provisioning for Scale Sets as add-ons. Will they get integrated into R80.20? We would wish it would be integrated into R80.10 with a HFA already. 🙂

These and others are integrated into R80.20.M1. As these components get updated, they will be integrated into future Mx releases.

Can i upgrade from R77.30 to R80.20 in one step?

You can upgrade from R77.30 to R80.20.M1 via CPUSE directly or using migrate export/import (i.e. "Advanced Upgrade").

I saw you publish the session but can you install the policy with the multitasking feature in R80.20.M1?

Yes, provided no one else is installing policy at that moment.

Could I review every session changes' details?

Yes, provided you enable the Session Pane, as shown here:

Tomer_Sole
Mentor
Mentor

Hi, top questions and answers:

Upgrading:

Where are the release notes for R80.20?

Release Notes for R80.20.M1 are available at https://sc1.checkpoint.com/documents/R80.20_M1/WebAdminGuides/EN/CP_R80.20_M1_RN/html_frameset.htm 

I can't find the upgrade path at CPUSE.

During the webinar I was under the impression that the link to upgrade to R80.20.M1 is in the Gaia web portal directly.

I was informed that in order to upgrade to R80.20.M1 you have to do the following:

1. Visit the R80.20.M1 SK page https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

2. Scroll down to the Download section

3. Copy the CPUSE Identifier.

4. Open your GAIA web portal and navigate to “Upgrade -> Status and Actions”

5. Click on “Add hotfixes from the cloud” and paste the CPUSE Identifier.

Can I migrate from R77.30 directly to R80.20?

Yes, you can upgrade between these versions directly. Keep in mind that in order to get to the faster new file system, it is recommended to use Advanced Upgrade rather than CPUSE.

Did I understand that correctly? Due to the updated kernel it is recomended to do advanced upgarde instead of CPUSE?

The recommendation for Advanced Upgrade over CPUSE is due to the new faster file system that comes with the updated Linux kernel.

Is there any documentation on the advanced upgrade?

Yes, get the Upgrade Guide as part of the Documentation Package at sk123473 and also watch the tutorial at Migrating from R77.30 to R80.10 Using Advanced Upgrade Procedure  

Can you do a CPUSE update later from R80.20.M1 to R80.20 when it is available?

Yes this is supported.

Can I upgrade from R77.30 Multidomain to R80.20.m1? Is it recommended?

You can upgrade from R77.30 Multi-Domain directly. R80.20.M1 has some features for Multi-Domain customers - Global VPN Communities support, SmartProvisioning and Compliance updates (usually goes hand in hand with Multi-Domain). Please get the SK article to decide: sk123473

Automation and Orchestration:

How this new versione leverage us with automation(may be with Ansible)?

Check Point has Ansible modules at the official Github account as well as other utils. https://community.checkpoint.com/docs/DOC-1928

Any way to export the configuration / policy (rules, NAT, ... ) directly with R80.20M1 ? In the past for R75.x releases I had to use Web Visualization Tool.

According to sk64501, Web Visualization Tool does not support R80.x

Use the show-package tool to export your policy to HTML: Show Package - Tool to visualize a R80 policy package over HTML pages 

Export to Excel would be great - for reviewing / sharing / exporting the rules.

Exporting to CSV is available with multiple tools, see: Can I export and import a policy? 

Is it now possible to create cluster objects over the API 1.2?

This is coming soon.

Do we plan to move the Management to Python 3?

This is planned, but not for R80.20.

Endpoint Integrated in R80.20.M1:

Can we import an R77.30.03 exported database into R80.20.M1 - it COULD NOT be imported to R80.10.

Yes, this is possible, please note that currently the site shows the wrong upgrade tool path and we will fix it soon.

Will Endpoint work on Multi-Domain environments?

No, this is currently not supported.

How can we migrate the policy from our SmartEndpoint management to R80.20?

If you refer to unifying Endpoint management with network management, currently it is a manual procedure. Check Point Professional Services can help. We plan to provide tools to do that in our next releases.

Will Endpoint be supported on Smart-1 410?

This is supported with R80.20.M1 already as well as all the other new appliances

New Linux Kernel:

What is the new file system's name?

The updated Linux kernel usex XFS.

Is the new kernel with R80.20M1 or R80.20?

The new kernel is available for any R80.20-based release including R80.20.M1 and R80.20.

Log Exporter and Web Log Viewer:

Does the log export supports encryption ?

Yes, encrypted, ca-cert, client-cert, client-secret are all parameters of the cp_log_export command. Visit the Log Exporter Guide thread for more. 

Log Exporter removes the need to setup OPSEC LEA for splunk?

Yes, that's right, it makes the process simple and secure

Are there plans to be able to export log searches to .csv file? This worked in R77.30 but in R80.10 we needed to open a different session to export more than what was on the screen.

Use the web log viewer for that. Going forward, this will be the default integrated log viewer inside SmartConsole as soon as the feature difference gets closed.

For log export in web view, is it possible to export more than 1M rows?

Browsing to SmartView in order to have a one-time export of the logs is limited to 1M rows per export. You might be looking for the Log Exporter tool which is a command-line that opens a channel between your log server and an external system. Log Exporter guide 

Are new views and reports going to be available in R80.20M1?

There will be new views in the next available Management Feature Release. You can already check it with the R80.20 Public EA.

Compliance Blade in R80.20.M1:

Compliance was previously free for one year,  is this still the case, or has it changed?

Yes, Compliance is free for the first year. You need to enable it on the Management object to use it. Compliance Blade how-to videos 

Can you configure your own compliance rules?

Visit Compliance Blade how-to videos  to see how to add new Compliance Rules in R80.10. For R80.20 there is a new option to add a script-based Compliance Best Practice. 

Does Compliance need to activate a specific license?

Compliance is a separate license on the Security Management Server. First year is free of charge. 

Management Feature Release:

Can R80.20.M1 manage an R80.20 EA gateway?

R80.20.M1 can manage gateways up to and including R80.10.

Is it only a management server release? Can gateways be upgraded to R80.20?

R80.20.M1 is Management Server (and SmartConsole) only. Once R80.20 is out, you can upgrade both Management and Gateway parts of your systems.

Is this version highly compatible with Multi-Domain scenarios only?

R80.20.M1 contains features aimed for Single-Domain and Multi-Domain customers. I may have focused a little more on large-scale deployments in this session, but features like IOC API, CloudGuard and web log viewer are here for everyone.

If I have R80.20.M1 and want to upgrade the gatewasy to R80.20 once it is available.  Do I have to upgrade the R80.20.M1 to R80.20 first and then upgrade the gateways to R80.20?

R80.20 (Management and Gateway) will require a Management upgrade in order to manage R80.20 Gateways.

Updatable Objects in R80.20:

Can the Updatable Objects in policy and dycryption port mirroring included in R80.20 ?

Yes, you can try them out with the R80.20 Public EA or Production EA.

Do Updatable Objects work with dynamic objects?

Updatable Objects are technically a new  kind of Dynamic Objects, because they do periodic fetching for updates from a Check Point cloud service, but perception-wise yes, they are kind of Dynamic Objects in a sense that you don't need to update them from the Management Server and Install Policy per update.

Will cloud access objects have any impact on SecureXL ?

These objects are accelerated.

Do Updatable Objects require a specific license/blade  ?

They do not require a particular license just as long as the Management Server and the Gateway are R80.20 and above.

Will new updatable objects be added with hotfixes or more like "application updates"? How often are the objects themselves updated?

More kinds of Updatable Objects will be added via Jumbo Hotfixes. You can configure the duration in which a gateway checks for updated IP/URL/FQDN lists of updatable objects.

Update: Check Point has a cloud service where more types of updateable objects, for example, new cloud services, can get added to dynamically. When the admins clicks "import-->Dynamic Objects" from SmartConsole or uses the API, they might see new updatable object types to choose from. We will update through CheckMates whenever new types are available to choose from.

Does the MDS need Internet access to UserCenter in order to get updates for these objects?

The specific domain which uses the updatable objects needs Internet access, although there are solutions for getting the updates offline and placing files on the Management server. We will publish an SK once R80.20 gateways become generally available.

Schedule Install Policy in R80.20:

Any use cases that the management requires scheduled policy installation?

We have 2 types of customers - ones that install their policies right away after every approved change, and ones that choose to aggregate changes and schedule policy installations to the off hours. We do not have a particular recommendation and it's up for customers to choose their working model. A repeating request at customers that install policies at given times, is that they have to plan it and have a person running it. With the next Management Feature Release we wanted to make this an easier flow.

Can you get an email once policy installation is completed?

This is possible today with SmartEvent Automatic Reactions. We plan to simplify this in our next releases.

Does scheduling the install only install when there are pending changes or does it install every time anyway?

Schedule Install Policy currently installs every scheduled time.

SmartConsole Extensions:

Who do I contact about service provider extensions?

For now - extensions@checkpoint.com and once the version gets out there will be pages at community.checkpoint.com and checkpoint.com

Does each user need to enable specific SmartConsole extensions?

Extensions are per admin.

Any license required for SmartConsole Extensions?

There are no license requirements for SmartConsole Extensions. Every R80.20 user can use them.

General questions about R80.20 Gateways:

What cipher suites will be supported? Currently in the SSL-VPN-Portal several tls1.2 cyphers are not supported.

Hi, support for more cipher suites is planned for our next releases.

Will VSX support Policy-Based Routing in R80.20?

This is planned for our next releases.

General questions about policy management:

Does this version have a test to identify what rule a traffic will pass?

R80.10 already has that with Packet-Mode Search. See: Packet Mode, a new way of searching through your security policy in R80.10 

Multi-Domain Management:

Will there be any improvement is user management i.e. allocating groups of users to specific domains?

For R80.10 and R80.20.M1 it is best to use automation to achieve this with API commands such as set-domain and add-administrator.

Identity Awareness:

Can I integrate with Cisco ISE for identify user without Identity Collector server ?

Yes, using RADIUS accounting and the new R80.20.M1 Identity Tags you can use Cisco ISE as Access Role objects in your security policy.

Threat Prevention:

Tomer promised to talk about shared IPS/TP policies in R80.20.

Ah! So sorry I couldn't get to that. I'm going to make a thread for IPS Ease Of Use since this is becoming a trend.

George_Sigalas1
Participant

HI,
In R77.30 you had the option to migrate a standalone deployment in distributed, but in R80.10 this is not supported.
Could this be possible in R80.20 (GA)?

0 Kudos
PhoneBoy
Admin
Admin

You should still be able to do it, but the process is different.

Off the top of my head:

  • Migrate export the existing configuration from the standalone gateway
  • Install new management on a separate appliance/VM and migrate import the configuration

The trick is: what to do about the standalone gateway itself?

I suppose you could reinstall from scratch as a gateway only and push policy to it from the new management.

It's also possible there's a different (currently not documented) process for simply converting it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events