Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Check Point R80.20 Now GA

R80.20, part of the Check Point Infinity architecture, delivers the most innovative and effective security that keeps our customers protected against large scale, fifth generation cyber threats.

The release contains innovations and significant improvements in:

  • Gateway performance
  • Advanced Threat Prevention
  • Cloud Security 
  • Access policy 
  • Consolidated network and endpoint management capabilities
  • And much more 

This release is initially recommended for customers who are interested in implementing the new features. We will make it the default version (widely recommended) after significant adoption and make it available in the 'Showing Recommended Packages' section in the CPUSE tab in Gaia portal. 

  Performance Enhancements   More

Performance Enhancements

  • HTTPS Inspection performance improvements
  • Session rate improvements on high-end appliances (13000, 15000, 21000 & 23000 Security Gateway models).
  • Acceleration remains active during policy installation, no impact on Security Gateway performance.

VSX Gateways

  • Significant boost to Virtual Systems performance, utilizing up to 32 CoreXL FW instances for each Virtual System.
  • Dynamic Dispatcher - Packets are processed by different FW worker (FWK) instances based on the current instance load.
  • Changes in the number of FW worker instances (FWK) in a VSLS setup do not require downtime.
  • SecureXL Penalty Box supports the contexts of each Virtual System, see sk74520.

  Significant Improvements & New Features     More

Advanced Threat Prevention

  • Enhanced configuration and monitor abilities for Mail Transfer Agent (MTA) in SmartConsole for handling malicious mails.
  • Configuration of ICAP Server with Threat Emulation and Anti-Virus Deep Scan in SmartConsole.
  • Automatic download of IPS updates by the Security Gateway.
  • SmartConsole support for multiple Threat Emulation Private Cloud Appliances.
  • SmartConsole support for blocking archives containing prohibited file types.
  • Threat Extraction
    • Full ClusterXL HA synchronization, access to the original files is available after a failover.
    • Support for external storage.
  • Advanced Threat Prevention Indicators (IoC) API
    • Management API support for Advanced Threat Prevention Indicators (IoC).
    • Add, delete, and view indicators through the management API.
  • Advanced Threat Prevention Layers
    • Support layer sharing within Advanced Threat Prevention policy.
    • Support setting different administrator permissions per Advanced Threat Prevention layer.
  • MTA (Mail Transfer Agent)
    • MTA monitoring, e-mails history views and statistics, current e-mails queue status and actions performed on e-mails in queue.
  • MTA configuration enhancements
    • Setting a domain object as next hop.
    • Ability to create an access rule to allow SMTP traffic to a Security Gateway.
    • Create a dedicated Advanced Threat Prevention rule for MTA.
  • MTA enforcement enhancements
    • Replacing malicious links in an email with a configurable template.
    • Configurable format for textual attachments replacement.
    • Ability to add a customized text to malicious e-mails' body or subject.
    • Tagging malicious-mails using X-header
    • Sending a copy of the malicious e-mail to a predefined recipients list
  • Improvements in policy installation performance on R80.10 and above Security Gateways with IPS
  • Performance impact of "Suspicious Mail Activity" protection in Anti-Bot was changed to "High" and is now off by default

CloudGuard IaaS Enhancements

  • Automated Security Transit VPC in Amazon Web Services (AWS) - Automatically deploy and maintain secured scalable architecture in Amazon Web Services.
  • Integration with Google Cloud Platform.
  • Integration with Cisco ISE.
  • Integration with Nuage Networks.
  • Automatic license management with the CloudGuard IaaS Central Licensing utility.
  • Monitoring capabilities integrated into SmartView.
  • Data center objects can now be used in access policy rules installed on 41000, 44000, 61000 and 64000 Scalable Platforms.

Access Policy

  • Updatable Objects – a new type of network objects that represent an external service such as Office 365, Amazon Web Services, Azure GEO locations and more, and can be used in the Source and Destination columns of an Access Control policy. These objects are dynamically updated and kept up-to-date by the Security Gateway without the need to install a policy.
  • Wildcard network object in Access Control that represents a series of IP addresses that are not sequential.
  • Only for Multi-Domain Server: Support for scheduled policy installation with cross-Domain installation targets (Security Gateways or Policy Packages).
  • Rule Base performance improvements, for enhanced Rule Base navigation and scrolling.
  • Global VPN Communities (previously supported in R77.30).
  • Support for using NAT64 and NAT46 objects in Access Control policy.
  • Security Management Server can securely connect to Active Directory through a Security Gateway, if the Security Management Server has no connectivity to the Active Directory environment and the Security Gateway does.

Identity Awareness

  • Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching.
  • Improved SSO Transparent Kerberos Authentication for Identity Agent, LDAP groups are extracted from the Kerberos ticket.
  • Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode).
  • Identity Collector
    • Support for Syslog Messages - ability to extract identities from syslog notifications.
    • Support for NetIQ eDirectory LDAP Servers.
    • Additional filter options - "Filter per Security Gateway" and "Filter by domain".
    • Improvements and stability fixes related to Identity Collector and Web API.
  • New configuration container for Terminal Servers Identity Agents.
  • Active Directory cross-forest trust support for Terminal Servers Agent.
  • Identity Agent automatic reconnection to prioritized PDP gateways.
  • Security Management Server can securely connect to Active Directory via a Security Gateway if the Security Management Server has no connectivity to the Active Directory environment

HTTPS Inspection

  • Hardware Security Module (HSM) support – outbound HTTPS Inspection stores the SSL keys and certificates on a third party dedicated appliance
  • Additional ciphers supports for HTTPS Inspection (for more information, see sk104562)

Mirror and Decrypt

  • Decryption and clone of HTTP and HTTPS traffic
  • Forwarding traffic to a designated interface for mirroring purposes

Clustering

  • New CCP Unicast - a new mode in which a cluster member sends the CCP packets to the unicast address of a peer member
  • New Automatic CCP mode - CCP mode is adaptive to network changes, Unicast, Multicast or Broadcast modes are automatically applied according to network state
  • Enhanced cluster monitoring capabilities
  • Enhanced cluster statistics and debugging capabilities
  • Enhanced Active/Backup Bond
  • Support for more topologies for Synchronization Network over Bond interfaces
  • Improved cluster synchronization and policy installation mechanism
  • New grace mechanism for cluster failover for improved stability
  • New cluster commands in Gaia Clish
  • Improved clustering infrastructure for RouteD (Dynamic Routing) communication

Gaia OS

Upgraded Linux kernel (3.10) - applies to Security Management Server only
  • New file system (xfs)
    • More than 2TB support per a single storage device
    • Enlarged systems storage (up to 48TB)
  • I/O related performance improvements
  • Support of new system tools for debugging, monitoring and configuring the system
    • iotop (provides I/O runtime statistics)
    • lsusb (provides information about all devices connected to USB)
    • lshw (provides detailed information about all hardware)
    • lsscsi (provides information about storage)
    • ps (new version, more counters)
    • top (new version, more counters)
    • iostat (new version, more counters)

Advanced Routing:

  • Allow AS-in-count
  • IPv6 MD5 for BGP
  • IPv4 and IPv6 OSPF multiple instances
  • Bidirectional Forwarding Detection (BFD) for gateways and VSX, including IP Reachability detection and BFD Multihop
  • OSPFv2 HMAC-SHA authentication (replaces OSPFv2 MD5 authentication)

ICAP Client

  • Integrated ICAP Client functionality

  Security Management Enhancements    More

SmartConsole

  • SmartConsole Accessibility features
    • Keyboard navigation - ability to use the keyboard alone to navigate between the different SmartConsole fields
    • Improved experience for the visually impaired, color invert for all SmartConsole windows
    • Required fields are highlighted
  • Multiple simultaneous sessions in SmartConsole. One administrator can publish or discard several SmartConsole private sessions, independently of the other sessions.

Logging and Monitoring

  • Log Exporter - an easy and secure method to export Check Point logs over Syslog to any SIEM vendor using standard protocols and formats
  • Ability to export logs directly from a Security Gateway (previously supported in R77.30)
  • Unified logs for Security Gateway, SandBlast Agent and SandBlast Mobile for simplified log investigation
  • Enhanced SmartView in browser:
    • Log viewer with log card, column profile and statistics
    • Export logs with custom or all fields
    • Automatic-refresh for views
    • Relative time frame support
    • Improved log viewer with cards, profiles, statistics and filters
    • I18N support for 6 languages (English, French, Spanish, Japanese, Chinese, Russian)
  • Accessibility support - keyboard navigation and high contrast theme

SmartProvisioning

  • Integration with SmartProvisioning (previously supported in R77.30)
  • Support for the 1400 series appliances
  • Administrators can now use SmartProvisioning in parallel with SmartConsole

Mobile Access

  • Support for reCaptcha, keep abusive automated software activities from interfering with regular portal operations
  • Support for One Time Password (OTP) without any hardware tokens

Endpoint Security Management Server

Endpoint Security Server is now part of the main train.
  • Support for SandBlast Agent, Anti-Exploit and Behavioral Guard policies
  • SandBlast Agent push operation to move/restore files from quarantine
  • Directory Scanner initial scan and full rescan takes significantly less time
  • Stability and performance enhancements for  Automatic Synchronization (High Availability)

Endpoint Security Management features that are included in R77.30.03:

  • Management of new Software Blades:
    • SandBlast Agent Anti-Bot
    • SandBlast Agent Threat Emulation and Anti-Exploit
    • SandBlast Agent Forensics and Anti-Ransomware
    • Capsule Docs
  • New features in existing Software Blades:
    • Full Disk Encryption
      • Offline Mode
      • Self Help Portal
      • XTS-AES Encryption
      • New options for the Trusted Platform Module (TPM)
      • New options for managing Pre-Boot Users
    • Media Encryption & Port Protection
      • New options to configure encrypted container
      • Optical Media Scan
    • Anti-Malware:
      • Web Protection
      • Advanced Disinfection

Compliance

  • User can create custom best practices based on scripts
  • Support for 35 regulations including General Data Protection Regulation (GDPR)

Download and release information here: Check Point R80.20 

131 Replies
_Val_
Admin
Admin

Open a support case for this, TAC will provide you with a solution, thanks

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi,

can you please share more info of which problems you had with SXL so we will be able to assist?

0 Kudos
bcibnkcpfw
Participant

I have rollback to R80.10 and the problem disappear completely (unfortunately I couldn't wait for TAC cause it was prod sys). But let me resume the problem:

After upgrade to R80.20 Connection problems started with more focus on UDP (many DNS problems), from the the DNS servers I started to see many UDP bad traffic, like:

[bad udp cksum 0x6cda -> 0xf65b!] 36502*

Even some TCP connection started to have some problems, but TCP wasn't big problem cause the re-transmission worked most of the time, but not on UDP. After disable SecureXL (fwaccel off -a) all started working as normal, no issues.

I don't have output's to provide (show...), the time was running against to me Smiley Sad

0 Kudos
_Val_
Admin
Admin

Did you have SXL disabled on R80.10?

0 Kudos
bcibnkcpfw
Participant

SecureXL on R80.10 is active.

0 Kudos
Ilya_Yusupov
Employee
Employee

can you share more about GW configuration? 

do you have NAT enabled on those connections?

is the GW configured as Proxy?

which blades are enabled?

0 Kudos
bcibnkcpfw
Participant

Hope this can still help:

With R80.10:

Accelerator Status : on
Accept Templates   : enabled
Drop Templates     : disabled
NAT Templates      : disabled by user
NMR Templates      : enabled
NMT Templates      : enabled

Accelerator Features : Accounting, NAT, Cryptography, Routing,
                       HasClock, Templates, Synchronous, IdleDetection,
                       Sequencing, TcpStateDetect, AutoExpire,
                       DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
                       WireMode, DropTemplates, NatTemplates,
                       Streaming, MultiFW, AntiSpoofing, Nac,
                       ViolationStats, AsychronicNotif, ERDOS,
                       McastRoutingV2, NMR, NMT, NAT64, GTPAcceleration,
                       SCTPAcceleration
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
                        3DES, DES, CAST, CAST-40, AES-128, AES-256,
                        ESP, LinkSelection, DynamicVPN, NatTraversal,
                        EncRouting, AES-XCBC, SHA256

With R80.20:

+-----------------------------------------------------------------------------+
|Id|Name |Status     |Interfaces               |Features                      |
+-----------------------------------------------------------------------------+
|0 |SND  |enabled    |xxxxxxxxx      |Acceleration,Cryptography     |
|  |     |           |                         |Crypto: Tunnel,UDPEncap,MD5,  |
|  |     |           |                         |SHA1,NULL,3DES,DES,CAST,      |
|  |     |           |                         |CAST-40,AES-128,AES-256,ESP,  |
|  |     |           |                         |LinkSelection,DynamicVPN,     |
|  |     |           |                         |NatTraversal,AES-XCBC,SHA256  |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates   : disabled
NAT Templates    : enabled

The only difference I see is NAT templates (on R80.10 is disabled and on R80.20 Enabled).

0 Kudos
Ilya_Yusupov
Employee
Employee

can you share output of enabled_blades from R80.10?

0 Kudos
Daniel_Collins
Collaborator

Just want to throw out there that I've worked around my limitations of PPPoE devices and now on standard ethernet. I think I've narrowed down my issues to IPv6 SXL - the 6in4 tunnel interface isn't showing in SXL, so I believe it's not being accelerated. Assuming this is still a limitation, traffic between accelerated and non-accelerated interfaces?

Clearly still having issues with SXL, although I have a workaround (thanks Valeri) frustrating there's no way out of the box of disabling it.

0 Kudos
_Val_
Admin
Admin

Hi, the following command options are still listed for cp_conf sxl - disable / enable

Command Line Interface R80.20 Reference Guide 

Are you sure it does not work in your case?

0 Kudos
Daniel_Collins
Collaborator

Certain. It spat back out the list of available commands and ignored my input.

0 Kudos
_Val_
Admin
Admin

Understood, thanks. We need to fix the documentation ASAP

Ilya_Yusupov
Employee
Employee

Hi Daniel,

 In R80.20 due to new Architecture of SXL there is no option to disable SXL permanently but from our lab testing we can say that PPPoE working as expected in R80.20 meaning that all traffic passing through such interface will be F2F, .

0 Kudos
Dorit_Dor
Employee
Employee

Just like R80x main change was mgmt archtecture, the big architectural change in R80.20 is in the XL ellemented:


- SXL limitations removed 

- high end code integrated to main train - clustering code unified, scalable ppk integrated, etc 

- Revised slow path and medium/fast path so that accelerator software code and the code running on hardware acceleration card, is the same code 

This is why you can do actions like monitoring accelerated packets and no sxl disable during  install policy. 

The flip side is that sxl is “built in” and no longer “optional” (finally :-), if i may add). 


Daniel_Collins
Collaborator

Understood - as long as the documentation is updated to reflect that then great Smiley Happy

Little frustrating the gateway guide suggests that it can be disabled though, unless that's referring to the EA version of R80.20 gateway.

Or is that something likely to come back with the upgraded kernel? Sounds like it's been integrated into the kernel at a lower level.

0 Kudos
Uri_Lewitus
Employee
Employee

Daniel, can you please share the guide you saw that indicated this is supported -  i would like to take a look at it and fix if necessary

Thanks

Uri

0 Kudos
Daniel_Collins
Collaborator

Apologies, I've only just seen this - can't find it now, so must be a good sign!

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

It does not exist from cpconfig or cp_conf .

I'm using R80.20 SA on my VM

0 Kudos
Uri_Lewitus
Employee
Employee

Hi Danile

With R80.20 SXL is always on, as stated in the SecureXL chapter in the admin guide.

0 Kudos
JozkoMrkvicka
Authority
Authority

Why there is no option to stop/start specific CMA from R80.20 SmartConsole MDS level like it was possible on R77.30 ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Dorit_Dor
Employee
Employee

R80 architecture is more efficient resource wise so fully stopping one cma without stopping the mds is not possible (for example they share database components). 


0 Kudos
Tomer_Sole
Mentor
Mentor

To add to Dorit's comment - we are familiar with cases in which in R80.10 some specific domains are unresponsive. These cases exist because we still have individual FWM processes per domain for few operations, and problems happened due to those individual processes. We are considering to add the option to reset these processes from the GUI to our next releases.

Those were very specific cases though - if it happened to you as well (in R80.10, not R7x), please open support tickets so that we can have it documented.

0 Kudos
JozkoMrkvicka
Authority
Authority

Yes, I faced the situation that I was not able to log into specific CMA from R80.20 MDS.

Solved by "mdsstop/start_customer" command from CLI. Unfortunately, I didnt gather more info about the error Smiley Sad I will revert back once happened again.

Kind regards,
Jozko Mrkvicka
0 Kudos
phlrnnr
Advisor

What are the main reasons for implementing ccp unicast mode?  Are these the first steps towards being able to have a cluster spread across several datacenters without the need for layer 2 connectivity? 

0 Kudos
JozkoMrkvicka
Authority
Authority

Multicast mode was in R77 as default CCP mode. You was supposed to change it to broadcast using Expert command. In R80.20 you can do it using clish.

Unicast is the new CCP mode introduced in R80.20.

The new is also automatic selection of CCP mode (automatic). Maybe some logic behind this would be great Smiley Happy

Selecting the CCP Transport Mode on the Cluster Members 

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

None of the public cloud providers support Multicast or Broadcast, thus a different mode was needed.

We've actually supported CCP Unicast for a while now with CloudGuard, which is the primary use case.

You still need to have some Layer 2 connectivity since the packets are sent to a MAC address.

You're also limited to 2-node clusters in this mode.

Andreas_Mang
Contributor

did R80.20 just get pulled from CPUSE? 

one minute these were available 

11  R80.20 Fresh Install and Upgrade for Security

        Gateway and Stand Alone                       Available for Download

12  R80.20 Fresh Install and Upgrade for Security

        Management                                    Available for Download

the next moment they are gone ?

:0> installer download 11

Info: Initiating download of Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Gateway.tgz...

Interactive mode is enabled. Press CTRL + C to exit (this will not stop the operation)

Result: File not found on Check Point Cloud. Refresh the CPUSE page and try again.

0 Kudos
PhoneBoy
Admin
Admin

To the best of my knowledge, we are not offering R80.20 via CPUSE at the moment.

More specifically, it shouldn't show up by default unless you've added the identifier manually

0 Kudos
Dorit_Dor
Employee
Employee

Indeed, we recommend R80.20 to everyone that is looking for new functionality but if you are on R77x and dont look for the latest, R80.10 is. the default and the “safe” selection with very high usage. 

We already got 1000 and more customers that started to use R80.20 because they liked the new functionality and the initial feedback from those  that elected to use it, is very good. Feel free to continue and give more feedbacks on checkmates. 

We continue to watch the telemetry and look for large and deep variance of usage. When we will see enough complex elective usage, we will advise that everyone should consider upgrade and make it visible in cpuse. 

Until that point, those that do elect to use it, can easily proactively add it and use it, and many of you did and doing - thank you!

This way, we dont “bother” customers with releases and when they “see” it, we already advise them for action. Hopefully, our proactiveness, lets you focus the operational energy and helps you manage your tradeoffs.  


Gislaine_Campos
Participant

Please, can you help me? On the link

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Installation_and_Upgrade_...

in the Important session - Before you upgrade to Security Gateway: step 5 - Schedule a full maintenance window to make sure you can make all desired custom configurations again after the upgrade. The upgrade process replaces all existing files with default files. If you have custom configurations on the Security Gateway, they are lost during the upgrade. As a result, different issues can occur in the upgraded Security Gateway. In the upgrade via CPUSE are the gateway settings (interfaces, routes, policies, passwords ...) lost? Which steps to perform in more detail?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events