topic Re: Check Point R80.20 Now GA in General Topics

Check Point R80.20 Now GA

PhoneBoy — Wed, 26 Sep 2018 19:05:46 GMT

R80.20, part of the Check Point Infinity architecture, delivers the most innovative and effective security that keeps our customers protected against large scale, fifth generation cyber threats.

The release contains innovations and significant improvements in:

Gateway performance
Advanced Threat Prevention
Cloud Security
Access policy
Consolidated network and endpoint management capabilities
And much more

This release is initially recommended for customers who are interested in implementing the new features. We will make it the default version (widely recommended) after significant adoption and make it available in the 'Showing Recommended Packages' section in the CPUSE tab in Gaia portal.

Performance Enhancements More

Performance Enhancements
HTTPS Inspection performance improvements
Session rate improvements on high-end appliances (13000, 15000, 21000 & 23000 Security Gateway models).
Acceleration remains active during policy installation, no impact on Security Gateway performance.
VSX Gateways
Significant boost to Virtual Systems performance, utilizing up to 32 CoreXL FW instances for each Virtual System.
Dynamic Dispatcher - Packets are processed by different FW worker (FWK) instances based on the current instance load.
Changes in the number of FW worker instances (FWK) in a VSLS setup do not require downtime.
SecureXL Penalty Box supports the contexts of each Virtual System, see sk74520.

Significant Improvements & New Features More

Advanced Threat Prevention
Enhanced configuration and monitor abilities for Mail Transfer Agent (MTA) in SmartConsole for handling malicious mails.
Configuration of ICAP Server with Threat Emulation and Anti-Virus Deep Scan in SmartConsole.
Automatic download of IPS updates by the Security Gateway.
SmartConsole support for multiple Threat Emulation Private Cloud Appliances.
SmartConsole support for blocking archives containing prohibited file types.
Threat Extraction
Full ClusterXL HA synchronization, access to the original files is available after a failover.
Support for external storage.
Advanced Threat Prevention Indicators (IoC) API
Management API support for Advanced Threat Prevention Indicators (IoC).
Add, delete, and view indicators through the management API.
Advanced Threat Prevention Layers
Support layer sharing within Advanced Threat Prevention policy.
Support setting different administrator permissions per Advanced Threat Prevention layer.
MTA (Mail Transfer Agent)
MTA monitoring, e-mails history views and statistics, current e-mails queue status and actions performed on e-mails in queue.
MTA configuration enhancements
Setting a domain object as next hop.
Ability to create an access rule to allow SMTP traffic to a Security Gateway.
Create a dedicated Advanced Threat Prevention rule for MTA.
MTA enforcement enhancements
Replacing malicious links in an email with a configurable template.
Configurable format for textual attachments replacement.
Ability to add a customized text to malicious e-mails' body or subject.
Tagging malicious-mails using X-header
Sending a copy of the malicious e-mail to a predefined recipients list
Improvements in policy installation performance on R80.10 and above Security Gateways with IPS
Performance impact of "Suspicious Mail Activity" protection in Anti-Bot was changed to "High" and is now off by default
CloudGuard IaaS Enhancements
Automated Security Transit VPC in Amazon Web Services (AWS) - Automatically deploy and maintain secured scalable architecture in Amazon Web Services.
Integration with Google Cloud Platform.
Integration with Cisco ISE.
Integration with Nuage Networks.
Automatic license management with the CloudGuard IaaS Central Licensing utility.
Monitoring capabilities integrated into SmartView.
Data center objects can now be used in access policy rules installed on 41000, 44000, 61000 and 64000 Scalable Platforms.
Access Policy
Updatable Objects – a new type of network objects that represent an external service such as Office 365, Amazon Web Services, Azure GEO locations and more, and can be used in the Source and Destination columns of an Access Control policy. These objects are dynamically updated and kept up-to-date by the Security Gateway without the need to install a policy.
Wildcard network object in Access Control that represents a series of IP addresses that are not sequential.
Only for Multi-Domain Server: Support for scheduled policy installation with cross-Domain installation targets (Security Gateways or Policy Packages).
Rule Base performance improvements, for enhanced Rule Base navigation and scrolling.
Global VPN Communities (previously supported in R77.30).
Support for using NAT64 and NAT46 objects in Access Control policy.
Security Management Server can securely connect to Active Directory through a Security Gateway, if the Security Management Server has no connectivity to the Active Directory environment and the Security Gateway does.
Identity Awareness
Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching.
Improved SSO Transparent Kerberos Authentication for Identity Agent, LDAP groups are extracted from the Kerberos ticket.
Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode).
Identity Collector
Support for Syslog Messages - ability to extract identities from syslog notifications.
Support for NetIQ eDirectory LDAP Servers.
Additional filter options - "Filter per Security Gateway" and "Filter by domain".
Improvements and stability fixes related to Identity Collector and Web API.
New configuration container for Terminal Servers Identity Agents.
Active Directory cross-forest trust support for Terminal Servers Agent.
Identity Agent automatic reconnection to prioritized PDP gateways.
Security Management Server can securely connect to Active Directory via a Security Gateway if the Security Management Server has no connectivity to the Active Directory environment
HTTPS Inspection
Hardware Security Module (HSM) support – outbound HTTPS Inspection stores the SSL keys and certificates on a third party dedicated appliance
Additional ciphers supports for HTTPS Inspection (for more information, see sk104562)
Mirror and Decrypt
Decryption and clone of HTTP and HTTPS traffic
Forwarding traffic to a designated interface for mirroring purposes
Clustering
New CCP Unicast - a new mode in which a cluster member sends the CCP packets to the unicast address of a peer member
New Automatic CCP mode - CCP mode is adaptive to network changes, Unicast, Multicast or Broadcast modes are automatically applied according to network state
Enhanced cluster monitoring capabilities
Enhanced cluster statistics and debugging capabilities
Enhanced Active/Backup Bond
Support for more topologies for Synchronization Network over Bond interfaces
Improved cluster synchronization and policy installation mechanism
New grace mechanism for cluster failover for improved stability
New cluster commands in Gaia Clish
Improved clustering infrastructure for RouteD (Dynamic Routing) communication
Gaia OS
Upgraded Linux kernel (3.10) - applies to Security Management Server only
New file system (xfs)
More than 2TB support per a single storage device
Enlarged systems storage (up to 48TB)
I/O related performance improvements
Support of new system tools for debugging, monitoring and configuring the system
iotop (provides I/O runtime statistics)
lsusb (provides information about all devices connected to USB)
lshw (provides detailed information about all hardware)
lsscsi (provides information about storage)
ps (new version, more counters)
top (new version, more counters)
iostat (new version, more counters)
Advanced Routing:
Allow AS-in-count
IPv6 MD5 for BGP
IPv4 and IPv6 OSPF multiple instances
Bidirectional Forwarding Detection (BFD) for gateways and VSX, including IP Reachability detection and BFD Multihop
OSPFv2 HMAC-SHA authentication (replaces OSPFv2 MD5 authentication)
ICAP Client
Integrated ICAP Client functionality

Security Management Enhancements More

SmartConsole
SmartConsole Accessibility features
Keyboard navigation - ability to use the keyboard alone to navigate between the different SmartConsole fields
Improved experience for the visually impaired, color invert for all SmartConsole windows
Required fields are highlighted
Multiple simultaneous sessions in SmartConsole. One administrator can publish or discard several SmartConsole private sessions, independently of the other sessions.
Logging and Monitoring
Log Exporter - an easy and secure method to export Check Point logs over Syslog to any SIEM vendor using standard protocols and formats
Ability to export logs directly from a Security Gateway (previously supported in R77.30)
Unified logs for Security Gateway, SandBlast Agent and SandBlast Mobile for simplified log investigation
Enhanced SmartView in browser:
Log viewer with log card, column profile and statistics
Export logs with custom or all fields
Automatic-refresh for views
Relative time frame support
Improved log viewer with cards, profiles, statistics and filters
I18N support for 6 languages (English, French, Spanish, Japanese, Chinese, Russian)
Accessibility support - keyboard navigation and high contrast theme
SmartProvisioning
Integration with SmartProvisioning (previously supported in R77.30)
Support for the 1400 series appliances
Administrators can now use SmartProvisioning in parallel with SmartConsole
Mobile Access
Support for reCaptcha, keep abusive automated software activities from interfering with regular portal operations
Support for One Time Password (OTP) without any hardware tokens
Endpoint Security Management Server
Endpoint Security Server is now part of the main train.
Support for SandBlast Agent, Anti-Exploit and Behavioral Guard policies
SandBlast Agent push operation to move/restore files from quarantine
Directory Scanner initial scan and full rescan takes significantly less time
Stability and performance enhancements for Automatic Synchronization (High Availability)
Endpoint Security Management features that are included in R77.30.03:
Management of new Software Blades:
SandBlast Agent Anti-Bot
SandBlast Agent Threat Emulation and Anti-Exploit
SandBlast Agent Forensics and Anti-Ransomware
Capsule Docs
New features in existing Software Blades:
Full Disk Encryption
Offline Mode
Self Help Portal
XTS-AES Encryption
New options for the Trusted Platform Module (TPM)
New options for managing Pre-Boot Users
Media Encryption & Port Protection
New options to configure encrypted container
Optical Media Scan
Anti-Malware:
Web Protection
Advanced Disinfection
Compliance
User can create custom best practices based on scripts
Support for 35 regulations including General Data Protection Regulation (GDPR)

Download and release information here: Check Point R80.20

Re: Check Point R80.20 Now GA

Danny — Thu, 27 Sep 2018 06:40:17 GMT

Impressive feature list.

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 07:58:36 GMT

Just a note, most of the MGMT part was already available with R80.20.M1.

Re: Check Point R80.20 Now GA

JozkoMrkvicka — Thu, 27 Sep 2018 08:31:44 GMT

No plans to create so called "Bug Report Tool" to report all bugs found for R80.x versions ? Or at least thread on CheckMates for this purpose ? IMHO, it will be much more better to have all bugs on one place than report every bug via separate thread, or open TAC case.

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 08:34:59 GMT

No, bugs should be reported to TAC, as they need to be debugged and fixed. Internally Check Point TAC and R&D have "all the bugs in once place", as you say.

This is not the function of the community. However, we will be happy to hear your impression and your thoughts.

Re: Check Point R80.20 Now GA

Martin_Valenta — Thu, 27 Sep 2018 10:15:03 GMT

When R80.20 gateway will have also kernel 3.10? It's stopping from using latest Dell servers r740 for example...

Re: Check Point R80.20 Now GA

Norbert_Bohusch — Thu, 27 Sep 2018 10:36:57 GMT

Btw. regarding R80.20.M1:

In the upgrade map is listed to contact Check Point Support to upgrade from R80.20.M1 to R80.20 GA! Why? I thought it should now be easier to do management upgrades and not have to work with support to get there!

Re: Check Point R80.20 Now GA

Hugo_vd_Kooij — Thu, 27 Sep 2018 10:50:31 GMT

R80.20.M1 was listed as .... challenging while it was released.

However if it requires a procedure like:

- Export

- Clean install

- Import

Then I think that should be listed as the only upgrade methods.

Re: Check Point R80.20 Now GA

Norbert_Bohusch — Thu, 27 Sep 2018 10:58:58 GMT

This procedure I would call "advanced ugprade" as it was always called, not as "Contact Check Point Support"

Re: Check Point R80.20 Now GA

JozkoMrkvicka — Thu, 27 Sep 2018 11:33:59 GMT

Cluster object name still cannot be the same as policy package name (and vice versa). Is there any special reason for that ? Beside that the name will be the same ?

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 12:02:15 GMT

You are correct, the currently available CPUSE packages are not covering R80.20.m1 to R80.20 GA path. It is to come later on.

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 12:03:33 GMT

We are working on that. We want to make sure the new kernel is 100% stable. You can join EA program for it, if it is a pressing matter.

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 12:06:33 GMT

Once more, CPUSE R80.20 GA package does not cover upgrade from R80.20.m1. Hence "Contact support message".

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 12:09:33 GMT

You are free to chose any supported migration path that suits your needs.

However, I believe upgrade in place is the simplest one to go. As for R80.20.m1 to R80.20 GA path, at this point in time it is not covered by CPUSE packages available. It is in the works and will be available later on.

If you need to move now, please contact support.

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 12:10:38 GMT

Let me guess, you are trying to upgrade from R77.30, right?

Re: Check Point R80.20 Now GA

JozkoMrkvicka — Thu, 27 Sep 2018 12:22:10 GMT

Management API Version 1.3 released

Check Point - Management API reference

What's New in v1.3

This release, API version 1.3, introduces several new features and several changes.

New features:

Updatable Object.
Show objects as ranges:
- Show rules as ranges of IP addresses and ports instead of Check Point Objects.
- Show a nested group, group-with-exclusion or service-group as the accumulative ranges of IP addresses and ports.

Show objects as ranges enables you to:
- Describe policies in a non-Check Point-language.
- Run custom validations easily.
- Find rules that are similar to your new rule request.

Changes with the potential to break existing scripts:

Changes to the overrides parameter in the set threat protection:
- The option to add override (overrides > add) is no longer supported. Instead perform a set operation on the protection's override.
- The option to set override (overrides > set) for specific profile will change the override for this profile only, other profiles will not be changed.

Re: Check Point R80.20 Now GA

Norbert_Bohusch — Thu, 27 Sep 2018 12:23:07 GMT

I understand it is not covered by CPUSE. That was not my point. I would like to know if advanced upgrade is supportet or not! From current upgrade map with "contact support" I would assume that even advanced upgrade is not supportet!

Re: Check Point R80.20 Now GA

JozkoMrkvicka — Thu, 27 Sep 2018 12:26:11 GMT

No, fresh installation of R80.20 MDS and playing with it around 10 minutes.

Re: Check Point R80.20 Now GA

_Val_ — Thu, 27 Sep 2018 12:29:30 GMT

Okay. One of the limitations with R80.10 and up: unique names for everything. Name your policy package as FIREWALL_TEST_POLICY, that would do

Re: Check Point R80.20 Now GA

JozkoMrkvicka — Thu, 27 Sep 2018 12:44:58 GMT

yep, this also happens in case you are going to create for example new Network Group with the name exactly the same as something else ...