Video and slides are below.
What version is stable and recommended for all deployments?
All supported versions are stable. We will soon formally announce R81.10 as the widely recommended release.
Is R81.10 recommended for Load Sharing upgrades also?
When something is declared Recommended, it applies to all deployments.
Will R81.20 have native support for Maestro platforms (same ISO, feature parity, bugfix alignment), or will there still be a separate SP release track?
R81 and SP are already unified, they just have a different installation image (i.e. the same hotfixes, etc). There are some differences in available features we are working to close.
Have elephant flow challenges been addressed?
We have new way of treating heavy connections in R81.20, and we are planning to give more details at CPX. If you are interested to join private EA program and test this feature in production now, please reach out to us: checkmates@checkpoint.com
Is there any new features added for checkpoint CloudGuard in new version?
All mentioned here is also relevant to CloudGuard
Any new development on GRE stability on the new version?
Nothing specifically, but if there are stability issues, please report via TAC and we will address via JHF.
At what point does Smart-1 Cloud get upgraded to new versions?
We plan to do it very soon and we'll update our customers. In general, the goal is to upgrade Smart-1 Cloud servers as soon as new versions are released. We expect the service to be fully on R81.10 by end of January.
Do we need to enable SSL Inspection to use the zero phishing?
It is recommended to enable SSL Inspection to protect users from advanced phishing attacks over HTTPS. Without SSL Inspection Zero-Phishing will protect users over HTTP.
Can we use R81.20 with Load Sharing without any limitation as like R80.10 and earlier?
The main limitation introduced in R80.20 (Load Sharing with VPN) has been addressed since R81.10. The limitations for Load Sharing in general are documented in sk101539 and will (presumably) still apply.
Please clarify, the Zero-Day Phishing for email does not apply to on-premises Exchange/mail servers only, but to the hosted Exchange as well?
Zero-Day Phishing feature provides protection for web users - no matter if they get the link form social media, messaging app or any other source.
Is Zero Phishing integrated with MTA?
MTA and Web Zero-Phishing uses same phishing detection AI engines. Web Zero-Phishing prevents user to browsing to the malicious site (on network/browser level).
Any changes to Maestro dual-site Active-Active without needs to use VSX with VSLS or multiple Security Group active per site?
Currently it will be the same as R81.10. Active / Active is planned for later releases
What about phishing protection on the Outlook client?
In case customer do not have email based phishing protection and will click on a phishing link, he will be blocked by the gateway. Otherwise Web Zero-Phishing is will work as an additional prevention layer (that also have unique HTML analysis feature to detect phishing).
Could you share a link describing the changes in the API between R80.40 and R81.10?
This is listed in the API documentation, specifically in the changelog.
Is there any plan for LDAP / LDAPS integration for the login on SmartConsole so we don't need to create the users but can use a group?
You can do exactly that with SAML integration for SmartConsole login!
Any news for ssl inspection of TLS 1.3 ? No need for downgrade to TLS 1.2 for an TLS 1.3 connection?
Supported from R81 but requires specific (not default) configuration.
Is Dynamic Network Feed replacing ioc_feeds feature?
This will be an additional feature (versus a replacement).
When will it possible to create an "interoperable device" via API ?
It's in R&D's backlog, we hope to update soon. Stay tuned 🙂 Currently we plan to include it in R81.20.
Can we use different Firewall module in R81.10 for Maestro in Same Security groups Sure. If you mean different appliance models (Mix and Match) - sure, it's in R81.10 - see sk162373.
When it comes to identity, currently the terminal agent its going towards the GW, is there plan to have this against the Identity Collector instead?
We are planning some major improvements to Identity Awareness in the future. More will be discussed at CPX 360 2022.
SD-WAN features will be enabled in R81.20?
Eventually it will be supported over R81.20, but will possibly require a JHF. Stay tuned!
Cloud Services on SmartConsole: will we be able to manage different tenant?
The purpose of the integration between the on-prem Management and Infinity is to pair your management to your own tenant, and the pairing requires logging into your tenant and generating a token.
Will R81.20 be available on Quantum Spark SMB appliances?
We are working on an R81.x based version for SMB appliances that will be available later this year.
Will upgrading CloudGuard Network Security gateways from R81 to R81.10 or R81.20 still require a complete rebuild of the gateway or management server?
This is in progress.
How can we add bulk hosts with the help of SmartConsole?
The Management API or CLISH can be easily used to add bulk hosts.
The “add objects-batch” command can add many types of objects with a JSON input. You can run this command from the “Command Line” window within SmartConsole.
Here is an example from the API reference:
add objects-batch objects.1.type "host" objects.1.list.1.name "New Host 1" objects.1.list.1.ip-address "192.0.2.1" objects.1.list.2.name "New Host 2" objects.1.list.2.ip-address "192.0.2.2" objects.2.type "address-range" objects.2.list.1.name "New Address Range 1" objects.2.list.1.ip-address-first "192.0.2.1" objects.2.list.1.ip-address-last "192.0.2.10" objects.2.list.2.name "New Address Range 2" objects.2.list.2.ip-address-first "192.0.2.12" objects.2.list.2.ip-address-last "192.0.2.20"
Another option is using the “add host” command with --batch flag and supply a csv file
Will cloud integration be mandatory to use the SD-WAN feature?
Managing SD-WAN is done in the Infinity Portal. It will require to connect the Management with Infinity. There might be an advanced option to skip this pairing, but it will require to re-configure many things in the cloud which are already configured in the Management.
Do we lose log file indexing moving from R81 to R81.10 or R81.20?
The log indexing process changed in R81, which necessitates reindexing old logs. Upgrading from R81 to R81.10 or R81.20 should not require a reindexing.
Will additional licenses be required for the SD-WAN feature? At which license level can we use this feature?
Details have not been finalized yet.
Is there any improvements on process that manage receiving logs from gateway? Actually if we have a Smart-1 logs with multiple CPUs, and we have a huge amount of logs all are managed by single CPU and remain CPU are not used.
Log servers do use multiple CPUs / Cores to perform indexing & querying. This gives us the ability to handle high log rates. There may be specific cases in Multi-Domain where some domains receive much more logs than others and compute capacity may not be optimally distributed between them. This can be tweaked with advanced configuration, and we are working on ways to make this simpler.
Overall, R81 brought significant improvement to indexing and querying and R81.10 brought the ability to distribute log sending to multiple log servers for even higher capacity.
We are also working on more improvements for the future as we understand the demand for more logging capacity.
What is the timeline for retiring SmartDashboard?
Some features are still managed in SmartDashboard. We have concrete plans to move some features to SmartConsole, but not all.
For using log exporter to export info to a SIEM, does R81.10 allow for easier control and management with out changing the config file via CLI?
Yes, you can create a Log Exporter/SIEM Object via New > More > Server > Log Exporter/SIEM.