Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Check Point R80.20 Production and Public EA

If you can't wait for R80.20 to be released, you can now participate in the Early Availability program.

We offer both Production and Public EA versions.

Production EA

Who Qualifies for the Production EA program?

Public EA

IMPORTANT – Check Point Public EA is only for lab and sandbox deployments

Public EA (as of 23 May 20th 2018) covers Gateway and Management!

To gain access to the public EA:

  • UserCenter:
    • Register to the Public EA release via - usercenter.checkpoint.com -> TRY OUR PRODUCTS -> Early Availability Programs -> CPEA-EVAL-R80.20
  • PartnerMAP:
    • Register to the Public EA release via - usercenter.checkpoint.com -> LEARN -> Early Availability Programs -> CPEA-EVAL-R80.20

What's new in R80.20

Acceleration

  • HTTPS Inspection performance improvements
  • Session rate improvements on high-end appliances (including 2012 appliances and 13000 and above appliances)
  • Acceleration is enabled during policy installation

Threat Prevention

  • Threat Prevention Indicators (IoC) API
    • Management API support for Threat Prevention Indicators (IoC)
    • Add, delete, and view indicators through the management API
  • Threat Prevention Layers
    • Support layer sharing within Threat Prevention policy
    • Support setting different administrator permissions per Threat Prevention layer
  • MTA (Mail Transfer Agent)
    • MTA monitoring:
      • E-mails history views and statistics, current e-mails queue status and actions performed on e-mails in queue
    • MTA configuration enhancements:
      • Setting a next-hop server by domain name
      • Stripping or neutralizing malicious links from e-mails
      • Adding a customized text to a malicious e-mail's body or subject
      • Malicious e-mail tagging using an X-header
      • Sending a copy of the malicious e-mail
  • ICAP
    • ICAP server support on a Security Gateway to consult with Threat Emulation and Anti-Virus Deep Scan whether a file is malicious
    • Threat Emulation
      • SmartConsole support for multiple Threat Emulation Private Cloud Appliances
      • SmartConsole support for Blocking files types in archives

Identity Awareness

  • Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching
  • Identity Collector support for Syslog Messages - ability to extract identities from syslog notifications
  • Identity Collector support for NetIQ eDirectory LDAP Servers
  • Improved Transparent Kerberos SSO Authentication for Identity Agent
  • Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode)
  • New configuration container for Terminal Servers Identity Agents
  • Ability to use an Identity Awareness Security Gateway as a proxy to connect to the Active Directory environment, if SmartConsole has no connectivity to the Active Directory environment and the gateway does
  • Active Directory cross-forest trust support for Identity Agent
  • Identity Agent automatic reconnection to prioritized PDP gateways
  • Additional filter options for identity collector - "Filter perSecurity Gateway" and "Filter by domain"
  • Improvements and stability fixes related to Identity Collector and Web-API

Mirror and Decrypt

  • Decryption and clone of HTTP and HTTPS traffic
  • Forwarding traffic to a designated interface for mirroring purposes

Hardware Security Module (HSM)

  • Enhancement of outbound HTTPS Inspection with a Gemalto SafeNet HSM Appliance
  • SSL keys are stored when using HTTPS Inspection

Clustering

  • Sync redundancy support (over bond interface)
  • Automatic CCP mode (either Unicast, Multicast or Broadcast mode)
  • Unicast CCP mode
  • Enhanced state and failover monitoring capabilities
  • OSPFv3 (IPv6) clustering support
  • New cluster commands in Gaia Clish

Advanced Routing

  • Allow AS-in-count
  • IPv6 MD5 for BGP
  • IPv6 Dynamic Routing in ClusterXL
  • IPv4 and IPv6 OSPF multiple instances
  • Bidirectional Forwarding Detection (BFD) for gateways and VSX, including IP Reachability detection and BFD Multihop

Access Policy

  • New Wildcard Network object supported in Access Control policy
  • Simplified management of Network objects in a security policy
  • HTTPS Inspection now works in conjunction with HTTPS web sites categorization. HTTPS traffic that is bypassed will be categorized.
  • Rule Base performance improvements, for enhanced rule base navigation and scrolling
  • Global VPN Communities. Previously supported in R77.30.

Compliance Blade

  • Add customized best practices for gateways based on your personal scripts
  • Support for 35 regulations including GDPR

Security Management

  • Upgraded Linux kernel (3.10)
  • Additional support for Open Servers hardware
  • New file system (xfs)
    • More than 2TB support per a single storage device
    • Enlarged systems storage (up to 48T tested)
  • I/O related performance improvements
  • Support of new system tools for debugging, monitoring and configuring the system
    • iotop (provides I/O runtime stats
    • lsusb (provides information about all devices connected to USB)
    • lshw (provides detailed information about all HW)
    • lsscsi (provides information about storage)
    • ps (new version, more counters)
    • top (new version, more counters)
    • iostat (new version, more counters)
  • Multiple simultaneous sessions in SmartConsole - One administrator can publish or discard several SmartConsole private sessions, independently of the other sessions.
  • Integration with a Syslog server (previously supported in R77.30) - A Syslog server object can be configured in SmartConsole to send logs to a Syslog server.

SmartProvisioning

  • Integration with SmartProvisioning (previously supported in R77.30)
  • Support for the 1400 series appliances
  • Administrators can now use SmartProvisioning in parallel with SmartConsole

vSEC Controller Enhancements

  • Integration with Google Cloud Platform
  • Integration with Cisco ISE
  • Automatic license management with the vSEC Central Licensing utility
  • Monitoring capabilities integrated into SmartView
  • vSEC Controller support for 41000, 44000, 61000, and 64000 Scalable Platforms

Endpoint Security Server

Managing features that are included in R77.30.03:

  • Management of new blades:
    • SandBlast Agent Anti-Bot
    • SandBlast Agent Threat Emulation and Anti-Exploit
    • SandBlast Agent Forensics and Anti-Ransomware
    • Capsule Docs
  • New features in existing blades:
    • Full Disk Encryption
      • Offline Mode
      • Self Help Portal
      • XTS-AES Encryption
      • New options for the Trusted Platform Module (TPM)
      • New options for managing Pre-Boot Users
    • Media Encryption and Port Protection
      • New options to configure encrypted container
      • Optical Media Scan
    • Anti-Malware
      • Web Protection
      • Advanced Disinfection

Additional Enhancements

  • HTTPS Inspection support for IPv6 traffic
  • Additional cipher suites support for HTTPS inspection
  • Improvements in policy installation performance on R80.10 and higher gateways with IPS
  • Network defined by routes - gateway's topology is automatically configured based on routing
  • IPS Domain Purge on Security Management Server - IPS update packages are saved for 30 days, older packages are purged.
  • SmartConsole Extensions – an open API platform for extending Smart Console with third-party and in-house tools and features.
  • Compressed snapshots - reduced system snapshot size.
26 Replies
RickHoppe
Advisor

Great! I’ve registered for the Public EA.

My blog: https://checkpoint.engineer
Gomboragchaa
Advisor

Thank you https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc

But we still waiting a solution for DPD full support. Check Point proprietary protocol cannot provide multiple link vpn with 3rd party VPN Routers

PhoneBoy
Admin
Admin

For those wondering, we've also added the relevant migration tools to the EA downloads.

This will allow you to take an export from an existing management running R77.x or R80.x and import it to R80.20 EA Management.

PhoneBoy
Admin
Admin

An R80.20EA tip here (thanks Tomer Sole‌ for sharing this one and correcting me):

For those interested in the API documentation in it's EA form, it's available on https://mgmt-ip/api_docs (after you enable the API to IPs other than localhost).

This feature does NOT exist in R80.10 or R80, sadly.

Hope we can keep this feature in the GA release as it is VERY handy to have local documentation.

This also works in R80/R80.10 as well, FYI.

 

0 Kudos
Hugo_vd_Kooij
Advisor

So far it doesn't work for me on R80.10

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin

I checked it on my R80.10 install and it worked.

For this specific issue, we should discuss on the following thread: Tip of the Day: Local R80.x API Documentation

Evren_Buyer
Contributor

I've just heard and registered straight away. Thanks you guys please keep improving CP...

Aaron_Pritchard
Contributor

Finally, more than 2TB storage supported : )

I'm also curious as to the new Clustering CLISH commands. new functionality or just moving some smartconsole tasks to CLI?

PhoneBoy
Admin
Admin

As the public EA is for management only, I assume the clish commands for clusters aren't relevant yet Smiley Happy

0 Kudos
Matt_Taber
Contributor

Support for < 2TB of storage when I built our new MGMT server bit me.  Had to redo RAID configurations and burn HD space, but got it running eventually.

Nader_Assi__Old
Contributor

Any ETA for the GA?

PhoneBoy
Admin
Admin

The dates depend on results from the EA, particularly Production EA.

Carlo_Taddei
Explorer

Thank you Dameon Welch Abernathy 

At the top of this page you stated: "

Public EA

IMPORTANT – Check Point Public EA is only for lab and sandbox deployments

Also Public EA only covers Management at this time (not gateway) "

So if I understand correctly, under the current Public EA Program is not possible to run / test any type of Security Gateways with the SW Image R80.20 - testing is limited to Security Management Servers only.

When would it be possible to test the new R80.20 Security Gateway features ?

0 Kudos
PhoneBoy
Admin
Admin

That's correct, the current public EA is only for Security Management.

The timeline for Public EA for R80.20 Security Gateway has not been finalized.

Private EAs for R80.20 include Security Gateway, and you should apply if you're interested and meet the criteria.

PhoneBoy
Admin
Admin

Note that we released a new version of the public EA for R80.20 that now includes Security Gateway support.

PhoneBoy
Admin
Admin

Some details on a few of the features here:

  • Auto CCP - The feature aims to automate CCP mode configuration, and make it adaptive to changes in the network, preventing unnecessary failovers and interface state changes due to CCP packet not being received as a result of networking issues.
    • Automatically choose between Unicast/Multicast/Broadcast
    • Default is Unicast CCP
    • Less noise (Multicast CCP – 8116)
  • New CCP Unicast mode - A new Default mode allowing cluster members to send CCP to the unicast address of the peer member.
  • Cluster Clish commands (not only in expert mode anymore)
    • Control (Pnote/ccp/debug…)

    • Monitor(list/interfaces…)

 

 

 

German_Khokhlov
Participant

Nice new features, when we'ill can testy GW R80.20?

0 Kudos
PhoneBoy
Admin
Admin

The new public EA build includes Security Gateway functionality.

You can test immediately Smiley Happy

0 Kudos
German_Khokhlov
Participant

You're right, Thanks!  

0 Kudos
Kurt_Abela
Contributor

Is full database revision restore supported in r80.20? similar to what was possible in r77.30?

0 Kudos
PhoneBoy
Admin
Admin

Not as far as I know.

0 Kudos
Tomer_Sole
Mentor
Mentor

R80.10 1-click policy restore is still the norm for R80.20. We plan to add more capabilities to the Automatic Revisions that compose the Security Management Server in our next releases, not in R80.20. Discussion for this is here: How do you rollback an old policy? 

0 Kudos
Kurt_Abela
Contributor

Hi,

Thanks for this. So basically, policy restore is the same as it was in r80.10, full database restore is still not available?

0 Kudos
PhoneBoy
Admin
Admin

Capabilities should be similar to R80.10 in this regard, yes.

0 Kudos
PhoneBoy
Admin
Admin

The Public EA builds were updated today on User Center.

The Public EA also includes Security Gateway in addition to Security Management.

PhoneBoy
Admin
Admin

Looks like a new public EA was made available 1 August.

Also, we are not currently planning to support the Accelerator Cards with the GA release of R80.20, so I have removed it from the above notes about what features are supported.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events