Create a Post
Showing results for 
Search instead for 
Did you mean: 

Check Point R80.20 Now GA

R80.20, part of the Check Point Infinity architecture, delivers the most innovative and effective security that keeps our customers protected against large scale, fifth generation cyber threats.

The release contains innovations and significant improvements in:

  • Gateway performance
  • Advanced Threat Prevention
  • Cloud Security 
  • Access policy 
  • Consolidated network and endpoint management capabilities
  • And much more 

This release is initially recommended for customers who are interested in implementing the new features. We will make it the default version (widely recommended) after significant adoption and make it available in the 'Showing Recommended Packages' section in the CPUSE tab in Gaia portal. 

  Performance Enhancements   More

Performance Enhancements

  • HTTPS Inspection performance improvements
  • Session rate improvements on high-end appliances (13000, 15000, 21000 & 23000 Security Gateway models).
  • Acceleration remains active during policy installation, no impact on Security Gateway performance.

VSX Gateways

  • Significant boost to Virtual Systems performance, utilizing up to 32 CoreXL FW instances for each Virtual System.
  • Dynamic Dispatcher - Packets are processed by different FW worker (FWK) instances based on the current instance load.
  • Changes in the number of FW worker instances (FWK) in a VSLS setup do not require downtime.
  • SecureXL Penalty Box supports the contexts of each Virtual System, see sk74520.

  Significant Improvements & New Features     More

Advanced Threat Prevention

  • Enhanced configuration and monitor abilities for Mail Transfer Agent (MTA) in SmartConsole for handling malicious mails.
  • Configuration of ICAP Server with Threat Emulation and Anti-Virus Deep Scan in SmartConsole.
  • Automatic download of IPS updates by the Security Gateway.
  • SmartConsole support for multiple Threat Emulation Private Cloud Appliances.
  • SmartConsole support for blocking archives containing prohibited file types.
  • Threat Extraction
    • Full ClusterXL HA synchronization, access to the original files is available after a failover.
    • Support for external storage.
  • Advanced Threat Prevention Indicators (IoC) API
    • Management API support for Advanced Threat Prevention Indicators (IoC).
    • Add, delete, and view indicators through the management API.
  • Advanced Threat Prevention Layers
    • Support layer sharing within Advanced Threat Prevention policy.
    • Support setting different administrator permissions per Advanced Threat Prevention layer.
  • MTA (Mail Transfer Agent)
    • MTA monitoring, e-mails history views and statistics, current e-mails queue status and actions performed on e-mails in queue.
  • MTA configuration enhancements
    • Setting a domain object as next hop.
    • Ability to create an access rule to allow SMTP traffic to a Security Gateway.
    • Create a dedicated Advanced Threat Prevention rule for MTA.
  • MTA enforcement enhancements
    • Replacing malicious links in an email with a configurable template.
    • Configurable format for textual attachments replacement.
    • Ability to add a customized text to malicious e-mails' body or subject.
    • Tagging malicious-mails using X-header
    • Sending a copy of the malicious e-mail to a predefined recipients list
  • Improvements in policy installation performance on R80.10 and above Security Gateways with IPS
  • Performance impact of "Suspicious Mail Activity" protection in Anti-Bot was changed to "High" and is now off by default

CloudGuard IaaS Enhancements

  • Automated Security Transit VPC in Amazon Web Services (AWS) - Automatically deploy and maintain secured scalable architecture in Amazon Web Services.
  • Integration with Google Cloud Platform.
  • Integration with Cisco ISE.
  • Integration with Nuage Networks.
  • Automatic license management with the CloudGuard IaaS Central Licensing utility.
  • Monitoring capabilities integrated into SmartView.
  • Data center objects can now be used in access policy rules installed on 41000, 44000, 61000 and 64000 Scalable Platforms.

Access Policy

  • Updatable Objects – a new type of network objects that represent an external service such as Office 365, Amazon Web Services, Azure GEO locations and more, and can be used in the Source and Destination columns of an Access Control policy. These objects are dynamically updated and kept up-to-date by the Security Gateway without the need to install a policy.
  • Wildcard network object in Access Control that represents a series of IP addresses that are not sequential.
  • Only for Multi-Domain Server: Support for scheduled policy installation with cross-Domain installation targets (Security Gateways or Policy Packages).
  • Rule Base performance improvements, for enhanced Rule Base navigation and scrolling.
  • Global VPN Communities (previously supported in R77.30).
  • Support for using NAT64 and NAT46 objects in Access Control policy.
  • Security Management Server can securely connect to Active Directory through a Security Gateway, if the Security Management Server has no connectivity to the Active Directory environment and the Security Gateway does.

Identity Awareness

  • Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching.
  • Improved SSO Transparent Kerberos Authentication for Identity Agent, LDAP groups are extracted from the Kerberos ticket.
  • Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode).
  • Identity Collector
    • Support for Syslog Messages - ability to extract identities from syslog notifications.
    • Support for NetIQ eDirectory LDAP Servers.
    • Additional filter options - "Filter per Security Gateway" and "Filter by domain".
    • Improvements and stability fixes related to Identity Collector and Web API.
  • New configuration container for Terminal Servers Identity Agents.
  • Active Directory cross-forest trust support for Terminal Servers Agent.
  • Identity Agent automatic reconnection to prioritized PDP gateways.
  • Security Management Server can securely connect to Active Directory via a Security Gateway if the Security Management Server has no connectivity to the Active Directory environment

HTTPS Inspection

  • Hardware Security Module (HSM) support – outbound HTTPS Inspection stores the SSL keys and certificates on a third party dedicated appliance
  • Additional ciphers supports for HTTPS Inspection (for more information, see sk104562)

Mirror and Decrypt

  • Decryption and clone of HTTP and HTTPS traffic
  • Forwarding traffic to a designated interface for mirroring purposes


  • New CCP Unicast - a new mode in which a cluster member sends the CCP packets to the unicast address of a peer member
  • New Automatic CCP mode - CCP mode is adaptive to network changes, Unicast, Multicast or Broadcast modes are automatically applied according to network state
  • Enhanced cluster monitoring capabilities
  • Enhanced cluster statistics and debugging capabilities
  • Enhanced Active/Backup Bond
  • Support for more topologies for Synchronization Network over Bond interfaces
  • Improved cluster synchronization and policy installation mechanism
  • New grace mechanism for cluster failover for improved stability
  • New cluster commands in Gaia Clish
  • Improved clustering infrastructure for RouteD (Dynamic Routing) communication

Gaia OS

Upgraded Linux kernel (3.10) - applies to Security Management Server only
  • New file system (xfs)
    • More than 2TB support per a single storage device
    • Enlarged systems storage (up to 48TB)
  • I/O related performance improvements
  • Support of new system tools for debugging, monitoring and configuring the system
    • iotop (provides I/O runtime statistics)
    • lsusb (provides information about all devices connected to USB)
    • lshw (provides detailed information about all hardware)
    • lsscsi (provides information about storage)
    • ps (new version, more counters)
    • top (new version, more counters)
    • iostat (new version, more counters)

Advanced Routing:

  • Allow AS-in-count
  • IPv6 MD5 for BGP
  • IPv4 and IPv6 OSPF multiple instances
  • Bidirectional Forwarding Detection (BFD) for gateways and VSX, including IP Reachability detection and BFD Multihop
  • OSPFv2 HMAC-SHA authentication (replaces OSPFv2 MD5 authentication)

ICAP Client

  • Integrated ICAP Client functionality

  Security Management Enhancements    More


  • SmartConsole Accessibility features
    • Keyboard navigation - ability to use the keyboard alone to navigate between the different SmartConsole fields
    • Improved experience for the visually impaired, color invert for all SmartConsole windows
    • Required fields are highlighted
  • Multiple simultaneous sessions in SmartConsole. One administrator can publish or discard several SmartConsole private sessions, independently of the other sessions.

Logging and Monitoring

  • Log Exporter - an easy and secure method to export Check Point logs over Syslog to any SIEM vendor using standard protocols and formats
  • Ability to export logs directly from a Security Gateway (previously supported in R77.30)
  • Unified logs for Security Gateway, SandBlast Agent and SandBlast Mobile for simplified log investigation
  • Enhanced SmartView in browser:
    • Log viewer with log card, column profile and statistics
    • Export logs with custom or all fields
    • Automatic-refresh for views
    • Relative time frame support
    • Improved log viewer with cards, profiles, statistics and filters
    • I18N support for 6 languages (English, French, Spanish, Japanese, Chinese, Russian)
  • Accessibility support - keyboard navigation and high contrast theme


  • Integration with SmartProvisioning (previously supported in R77.30)
  • Support for the 1400 series appliances
  • Administrators can now use SmartProvisioning in parallel with SmartConsole

Mobile Access

  • Support for reCaptcha, keep abusive automated software activities from interfering with regular portal operations
  • Support for One Time Password (OTP) without any hardware tokens

Endpoint Security Management Server

Endpoint Security Server is now part of the main train.
  • Support for SandBlast Agent, Anti-Exploit and Behavioral Guard policies
  • SandBlast Agent push operation to move/restore files from quarantine
  • Directory Scanner initial scan and full rescan takes significantly less time
  • Stability and performance enhancements for  Automatic Synchronization (High Availability)

Endpoint Security Management features that are included in R77.30.03:

  • Management of new Software Blades:
    • SandBlast Agent Anti-Bot
    • SandBlast Agent Threat Emulation and Anti-Exploit
    • SandBlast Agent Forensics and Anti-Ransomware
    • Capsule Docs
  • New features in existing Software Blades:
    • Full Disk Encryption
      • Offline Mode
      • Self Help Portal
      • XTS-AES Encryption
      • New options for the Trusted Platform Module (TPM)
      • New options for managing Pre-Boot Users
    • Media Encryption & Port Protection
      • New options to configure encrypted container
      • Optical Media Scan
    • Anti-Malware:
      • Web Protection
      • Advanced Disinfection


  • User can create custom best practices based on scripts
  • Support for 35 regulations including General Data Protection Regulation (GDPR)

Download and release information here: Check Point R80.20 

131 Replies
Champion Champion

Impressive feature list.


Just a note, most of the MGMT part was already available with R80.20.M1. 

0 Kudos

Btw. regarding R80.20.M1:

In the upgrade map is listed to contact Check Point Support to upgrade from R80.20.M1 to R80.20 GA! Why? I thought it should now be easier to do management upgrades and not have to work with support to get there!


R80.20.M1 was listed as .... challenging while it was released.

However if it requires a procedure like:

 - Export

 - Clean install

 - Import

Then I think that should be listed as the only upgrade methods.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

This procedure I would call "advanced ugprade" as it was always called, not as "Contact Check Point Support"

0 Kudos

Once more, CPUSE R80.20 GA package does not cover upgrade from R80.20.m1. Hence "Contact support message". 

0 Kudos

I understand it is not covered by CPUSE. That was not my point. I would like to know if advanced upgrade is supportet or not! From current upgrade map with "contact support" I would assume that even advanced upgrade is not supportet!

0 Kudos

You probably misunderstand what "Contact support" means. It means R&D will provide you special tools to migrate. They want to test the migration / upgrade with your MGMT DB.

Concerning the advanced upgrade, yes, it is supported. 


Hi Valeri, I'm on to support now for the upgrade and they said they think the Gateway R80.10 upgrade also need to be manually done by Check Point R&D staff.

Should we hold off on this upgrade until a fully supported CPUSE Upgrade path is released? (Do you know is it due tomorrow or in several weeks?)

We urgently need 80.20 for the excellent new Office365 support and cannot wait.

0 Kudos

The mentioned support path was for management R80.20M1 to R80.20. I am not aware of any limitation for GW upgrade from R80.10.

Office365 object support is management only feature, as far as I know. Perosnally, if support suggests R&D to be involved, go for it, there is no harm in that


Office 365 objects requires R80.20 Gateway support

0 Kudos

Pretty sure it's only the R80.20.M1 to R80.20 GA path that requires support help.

Upgrading from R80.10 (gateway or management) should be fine.


You are free to chose any supported migration path that suits your needs. 

However, I believe upgrade in place is the simplest one to go. As for R80.20.m1 to R80.20 GA path, at this point in time it is not covered by CPUSE packages available. It is in the works and will be available later on.

If you need to move now, please contact support.

0 Kudos

You are correct, the currently available CPUSE packages are not covering R80.20.m1 to R80.20 GA path. It is to come later on. 

0 Kudos

I've chatted with TAC. They said if you want to perform the upgrade from .M1 to GA now you need to get R&D involved:

1) Create a Service Request

2) Upload cpinfo

3) Upload Cpm doctor

4) Upload DB

So how about .M2? First answer was that there will be no .M2 any longer. I was quite surprised. But apparently this was mistaken.

Possibly the upgrade to .M2 will be easier when it comes out. If there's no need to upgrade immediatly you just have to wait (for better news to come).

If this is the way how the new release train (Management Feature release) works then I will skip this train and just wait for the slower(?) GA train.

My blog:

Uh, there will be m2 which will be an improvement from R80.20 GA, no worries about that. It is already in the pipe. GA MGMT is the part of M train

0 Kudos

Hi Valeri,

Do you know if the R80.20.M1 to R80.20.GA upgrade through the CPUSE method will be released soon?

Thank you

0 Kudos

The plan is to do so, yes.


Hi Dameon,

By any chance do you know roughly when this is due? We have an urgent need for Office365 access and since wildcard FQDN rules do not work, the new 80.20.GA feature for Office 365 access would really help us avoid entering hundreds of IP ranges. The management server is on 80.20.M1 so cannot be upgraded with CPUSE at the moment.

Thank you

0 Kudos

Hi Bob, did you open a support ticket for your upgrade? Can you message me the support ticket ID?


R&D has reached out directly to assist.


Yes support helped with the upgrade of our Management server from 80.20.M1 to GA. It was all automated (support provided a script that enables CPUSE upgrade ) with no need to send over the database etc. The CPUSE upgrade was completed and went very smooth.

Thank you to the R&D team!


I like the function ”Updatable Object”  for O365

Can we have a similar object for TOR-networks It would be great.

0 Kudos

No plans to create so called "Bug Report Tool" to report all bugs found for R80.x versions ? Or at least thread on CheckMates for this purpose ? IMHO, it will be much more better to have all bugs on one place than report every bug via separate thread, or open TAC case.

Kind regards,
Jozko Mrkvicka
0 Kudos

No, bugs should be reported to TAC, as they need to be debugged and fixed. Internally Check Point TAC and R&D have "all the bugs in once place", as you say.

This is not the function of the community. However, we will be happy to hear your impression and your thoughts.


we actually have right-click create support ticket from SmartConsole at Gateways & Servers view Smiley Happy


When R80.20 gateway will have also kernel 3.10? It's stopping from using latest Dell servers r740 for example...


We are working on that. We want to make sure the new kernel is 100% stable. You can join EA program for it, if it is a pressing matter.

0 Kudos

So based on R80.20 Management release using a different Linux kernel than R80.20 Gateway, is there currently a way to upgrade a R80.10 System that has both Managment and Gateway installed? I assume not until R80.20 Gateway uses that kernel too?

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events