Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Admin
Admin

Delivering Security Consolidation Across the Enterprise with R81: Video, Slides, and Q&A

Materials from our TechTalk on 28 October 2020 available to CheckMates members:

Refer to the R81 Home Page for official documentation and downloads.

Selected Q&A from the session is below:

What event auditing options will be available in R81? Specifically, is OPSEC LEA still a valid option and what is the status of the Log Exporter option to export CEF (especially for ArcSight SIEM integration)?

OPSEC LEA is still valid but Log Exporter is the recommended approach going forward. ArcSight should support Log Exporter.

This update is available for SandBlast Agent Cloud Management and/or Smart-1 Cloud?

We will roll this out to SAMP and Smart-1 Cloud customers in the coming weeks.

There is a native integration with guacamole "Mobile Access Blade with Clientless RDP/SSH - Early Availability" that was in EA in R80.30 JHA Take 155 (kernel 2.6), will this feature be available in R81 GA?

Yes, this is integrated with the GA R81.

What gateway versions can be managed with R81?

Gateways running R77.30 and above as well as SMB appliances running R77.20.x and later.

Can I choose more than one Infinity Threat Prevention profile or add another profile to an existing gateway later?

Only one profile is available for a single GW, but you can change and/or customize them. For a multipurpose gateway, we recommend to use the Perimeter profile. You can use different profiles on different gateways.

Can you make any modifications to the Infinity Threat Prevention Policies?

You can use Global Exceptions and override file type actions of the Policy Package.

Do current customers who have a licensed version of Threat Management eligible to use Infinity Threat management?

Yes!

How do you determine the relevant IPS protections for the ITP strict security profile? Is it a modified tailored safe variant or a new implementation?

It is possible to see in the profile comparison page what protections are enabled, according to severity/performance, Prevent/Detect according to confidence.

How will migration from legacy configuration to new Infinity TP be? Will exceptions remain in place? Global exception remain in place.

There is no migration of the policy. Global exceptions also apply to Infinity Threat Prevention.

Do the profiles take into account whether HTTPS inspection is on or off? I assume some protections will not work.

Correct, HTTPS Inspection is essential for effective Threat Prevention. You will have to configure HTTPS Inspection layer separately.

Does Infinity Threat Prevention also support 1500 SMB gateways or gateways not running R81?

Infinity Threat Prevention is only supported on R80.40 and above gateways.

Does Infinity Threat Prevention work on VSX gateways?

Yes.

When the Threat Prevention policy is updated automatically, is it logged anywhere to easily correlate an issue with a TP or IPS update?

You will see the highlights in the What's New section

With R81, is it best practice to use a single Threat Prevention profile for a gateway?

We provide you with two options: classic threat prevention management, which allows multiple profiles to be used, and new tailored profiles with simplified Infinity Threat Prevention.

Will be with R81 some enhancements regarding updateable objects?

Any new updatable objects we add will be available in R80.20 and above.

When will Delta Policy Push be implemented?

The Accelerated Policy Push feature in R81 is what this is.

When you have several administrators publishing their changes without installing them, can you choose which change to install in R81 or do you still have to install all the changes at once?

Policy will be compiled based on the published database. That includes all sessions published at that moment.

Is it possible to see the history of policy changes?

You can see the diff between 2 revisions in the revisions page

Can you "print" the changes overview to a PDF file or save/import them?

This is in our roadmap.

What are the limitations with Accelerated Policy Push?

Refer to sk169096 for a full list of limitations.

Is this available on Maestro?

We will release an R81SP in the coming weeks. It is Early Availability now.

Does 'fast policy installation' option have any sort of performance impact on the gateway? Normal policy installation historically has impacted cpu performance on gateways, at least to some extent.

Accelerated Policy Install is only relevant for R81+ gateways. That said, as part of the significant improvements to SecureXL (from R80.20), the impact of a policy install should be minimized substantially. If this is still an issue, a TAC case may be needed.

Are you planning the return of "database revision control" ?

This was added in R80.40 and is described in some detail here

Has SmartUpdate been provided for license management?

In R81 we have License management added to SmartConsole.

Is the package repository for upgrades via SmartConsole located on the PC with SmartConsole or the Management Server?

On the management server.

When using Infinity Threat Prevention, what is the recommended size appliance required?

The datasheets specify Gen V Threat Prevention performance. We can also do more detailed sizing via Appliance Sizing Tool (check with local office/partner).

Are Open Servers upgradable with SmartConsole in R81 as well?

Yes

Is this the graphical version of the already existing CDT, or is this something totally new?

Similar infrastructure is used, but it is not activating the CDT. The engine is new.

Does this package send process work with DAIP gateways?

Yes, the package sending is over SIC

Are EmbeddedGaia gateways also upgradable via SmartConsole?

Not in R81.

Is there Private Threat Cloud support in R81 with central upgrades?

Yes

Does this installation through SmartConsole requires a reboot?

It is just like installing it directly via CPUSE. It does not remove the need for reboot.

If there was an issue doing an upgrade from SmartConsole to a gateway, I assume CPUSE would roll back but would we get a report in the SmartConsole as to what failed and why?

Yes, you will get the info in the SmartConsole task.

Will this support upgrading Maestro deployments on R80.20SP or R80.30SP?

Not yet.

Do mobile access VPN session failover seamlessly to the other gateway when you perform the upgrade on the gateways or will users have to reconnect?

Users will have to reconnect.

Is it possible with the central deployment to upgrade cluster members individuals (reasoning: with some delay prior the deployment on the secondary node, to be able to test the traffic passing the upgraded node)?

Not yet.

Is the installation/upgrade from SmartConsole has built-in safe fallback in cases of failed installation or upgrade?

Yes, both for a should gateways, and for clusters

If I want to upgrade to R81 from R80.20? for GWs, using the new GUI?

Yes

HTTPS Inspection - has CPU overheads been reduced?

Multiple optimizations have been done in R81 for HTTPS Inspection, both for versions <= TLS 1.2 and TLS 1.3. Note that to turn on TLS 1.3 support. USFW has to be turned on, refer to sk167052 for more information.

Have you integrated all HTTPS Inspection setting to SmartConsole?

HTTPS Inspection policy can be managed through SmartConsole from R80.40, but there are still some configurations that must be done through the legacy UI such as trusted CA list.

What about SNI in TLS1.3?

SNI verification using Probe is supported in TLS 1.3 as in older versions.

With TLS 1.3, we can't use https categorization but only full HTTPS Inspection?

We are currently relying on the non-encrypted SNI extension for rule base matching which is verified with the server certificate. Meaning that categorization isn't affected by TLS 1.3. Support for ESNI is being evaluated.

Wha it is performance impact of SSL inspection of TLS 1.3 versus TLS 1.2?

There's a slight impact due to the TLS 1.3 protocol constraints, but rest assured, that's our main objective and we're working to maximizing the TLS 1.3 performance. Once the feature will be on by default, a more detailed and numeric comparison will be provided.

Does Dynamic Balancing supporting CloudGuard Network Security Gateways? How about Open Servers? How about VSX?

In the roadmap.

Is the TLS 1.3 https inspection only available for user space firewalls? 

Yes, but most appliances support it, please refer tosk167052 for more information.

Do the Dynamic Balances Changes on the fly affect users performance?

Yes, by improving it!

Can we manage R81 gateways from R80.x management server?

No, you must upgrade management to R81.

Does manual CPU split change require reboot?

Yes. The automated method does not.

Are there any configurable parameters or thresholds associated with dynamic balancing?

Is Cross Domain search option back in R81?

Yes!

Does R81 support domain names in Exclusion list used for split tunnel?

No. Please work with your local Check Point office around this requirement.

The CoreXL auto balance will be activated in auto after gateway upgrade from r80.30/r80.40 or R81?

Only if CoreXL settings are not altered from their default settings. If a specific configuration has been made, it will be preserved on upgrade.

Would you recommend upgrading from earlier versions of R80.x to R80.40 before ultimately upgrading to R81?

R80.20 above can be directly upgraded to R81. R80.10 and earlier must be upgraded to R80.40 first.

Is there any history view for Dynamic Balancing?

Via cpview, yes.

When will hardware SSL accelerators be avialable to offload TLS Inspection?

Currently this is addressed via software updates, not add-on hardware.

When it will be available to create a security policies via Web version of SmartConsole?

This is in progress and will be released at an add-on to R81 at a future date.

Will you launch renewed certification based on R81?

This is planned for sometime next year.

When MAB console will be integrated to the SmartConsole?

Planned for a future releaes.

What about staged upgrades? Some customers are asking to upgrade a single member for X days before doing the next. Can that be configured?

We are aware of this requirement and it is already under development. Planned for R81.10.

Do upgrades from SmartConsole preserve or transition custom low-level configuration parameters on gateways (i.e. edited files)?

We use the same mechanism of CPUSE which is used for local upgrades. The fact that it is central does not change the configuration migration process.

Can the CDT update the DeploymentAgent if needed as well (in case the gateway has no internet connectivity itself)?

CDT is using the same mechanism as CPUSE, DA is part of it We are aware of this requirement. It is supported in CDT but not yet in Smart Console Central Deployment

Are there any plans to connect Identity Collector to Azure AD?. We need to see from the logs which user logged on from which IP/Computer Name? Currently we are migrating from on-premise AD to Azure cloud and would like to see this information in the logs.

R81 integrates with Azure AD.

Will R81 finally have the updateable SmartConsole?

It's still in the works.

0 Kudos
Reply
0 Replies