Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tsvika_Akerman
Employee
Employee
Jump to solution

R80.40 Early Availability Program @ Check Point Update

 

 

Picture6781.png

 

R80.40 EA Program 

R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V. 


Enrollment // Production EA

 

online.png

 

• We are looking for R80.X / R77.X Production environment to evaluate the new version.

• Start date: Started 

online4 - Copy.png

 

Public EA (for Lab/Sandbox use) is now also available!

  • Log into UserCenter and Select Try Our Products > Early Availability Programs
  • In PartnerMap, it is Learn > Evaluate > Early Availability Programs
  • NOTE: Upgrade from Public EA to GA is not supported

 

Additional questions? contact us@ EA_SUPPORT@checkpoint.com

What's New 

IoT Security

A new IoT security controller to:

  • Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis). 
  • Configure a new IoT dedicated Policy Layer in policy management.
  • Configure and manage security rules that are based on the IoT devices' attributes.                      

TLS Inspection

HTTP/2

  • HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience. 
  • Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
  • Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS
  • Inspection capabilities.                      

TLS Inspection Layer

This was formerly called HTTPS Inspection. Provides these new capabilities:

  • A new Policy Layer in SmartConsole dedicated to TLS Inspection.
  • Different TLS Inspection layers can be used in different policy packages.
  • Sharing of a TLS Inspection layer across multiple policy packages.
  • API for TLS operations.

Threat Prevention

  • Overall efficiency enhancement for Threat Prevention processes and updates.
  • Automatic updates to Threat Extraction Engine.
  • Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects.
  • Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
  • Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
  • Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
  • Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.

Access Control

Identity Awareness

  • Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
  • Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing. 
  • Enhancements to Terminal Servers Agent for better scaling and compatibility.

IPsec VPN

  • Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides: 
    • Improved privacy - Internal networks are not disclosed in IKE protocol negotiations.
    • Improved security and granularity - Specify which networks are accessible in a specified VPN community.
    • Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
  • Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.

URL Filtering

  • Improved scalability and resilience.
  • Extended troubleshooting capabilities.


NAT

  • Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
  • NAT port utilization monitoring in CPView and with SNMP.


Voice over IP (VoIP)

Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.


Remote Access VPN

Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).


Mobile Access Portal Agent

Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.


Security Gateway and Gaia

CoreX L and Multi-Queue

  • Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
  • Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load.

Clustering

  • Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP

Broadcast or Multicast modes.

  • Cluster Control Protocol encryption is now enabled by default.
  • New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses.
  • Support for ClusterXL Cluster Members that run different software versions.
  • Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.

VSX

  • Support for VSX upgrade with CPUSE in Gaia Portal.
  • Support for Active Up mode in VSLS.
  • Support for CPView statistical reports for each Virtual System


Zero Touch

A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration.

Gaia REST API

Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.

Advanced Routing

  • Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
  • Enhancing route refresh for improved handling of BGP routing inconsistencies.


New kernel capabilities

  • Upgraded Linux kernel
  • New partitioning system (gpt):
  • Supports more than 2TB physical/logical drives
  • Faster file system (xfs)
  • Supporting larger system storage (up to 48TB tested)
  • I/O related performance improvements
  • Multi-Queue:
  • Full Gaia Clish support for Multi-Queue commands
  • Automatic "on by default" configuration
  • SMB v2/3 mount support in Mobile Access blade
  • Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
  • Support of new system tools for debugging, monitoring and configuring the system

 

CloudGuard Controller

  • Performance enhancements for connections to external Data Centers.
  • Integration with VMware NSX-T.
  • Support for additional API commands to create and edit Data Center Server objects.


Security Management

Multi-Domain Server

  • Back up and restore an individual Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
  • Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server to become a Security Management Server.
  • Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.

SmartTasks and API

  • New Management API authentication method that uses an auto-generated API Key.
  • New Management API commands to create cluster objects.
  • Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.
  • SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

Deployment

Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.


SmartEvent

Share SmartView views and reports with other administrators.


Log Exporter

Export logs filtered according to field values.


Endpoint Security

  • Support for BitLocker encryption for Full Disk Encryption.
  • Support for external Certificate Authority certificates for Endpoint Security client
  • authentication and communication with the Endpoint Security Management Server.
  • Support for dynamic size of Endpoint Security Client packages based on the selected
  • features for deployment.
  • Policy can now control level of notifications to end users.
  • Support for Persistent VDI environment in Endpoint Policy Management.

 

online.png

 

1 Solution

Accepted Solutions
Tomer_Noy
Employee
Employee

The Management & SmartConsole are developed under my ownership, so I will try to answer:

1) It is definitely not OK that SmartConsole needs to be manually installed and uninstalled for getting fixes / updates. In the past when updates were infrequent, it may have been reasonable, but not today with the jumbo updates.

2) It is not OK that preferences are lost when updating SmartConsole.

3) We had some delays with the updatable SmartConsole development (mainly due to other high priorities that came in), so we are behind schedule for sharing it with the field during 2019. However, we are not waiting for the release of R80.50. The plan is to release another flavor of SmartConsole that will be auto-updatable during Q1. We will release it to versions that are already GA (such as R80.40 and R80.30). The new package will be available in parallel to the existing one, and customer will be able to choose the new flavor early if they wish.

View solution in original post

83 Replies
PhoneBoy
Admin
Admin
Lots of great stuff here. Can't wait!
0 Kudos
Ryan_St__Germai
Advisor

is the "upgraded kernel" still 3.10?

PhoneBoy
Admin
Admin
It's still 3.10, yes.
Timothy_Hall
Legend Legend
Legend

Will the new 3.10 kernel be required for R80.40 gateways, or will 2.6.18 still be supported?

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Abhishek_Singh1
Contributor
Does R80.40 supports VLAN trunking for the Standard Standalone deployed Gateways on VM ??

We have Standalone (SMS + Gateway) on a single VM (virtual machine on Windows Server 2012) ... I need the checkpoint VM NICs to support Vlan Trunking , is it possible with R80.40 ??
PhoneBoy
Admin
Admin
I suspect the reason it doesn't work is that we are still using the 2.6 kernel on Standalone deployments.
You can confirm by installing a management only image and trying the same config to see if it works.

Whether or not the 3.10 kernel will be the default for gateways (and thus Standalone configs) in R80.40 is still an open question.
That's the goal, as far as I understand it.
Abhishek_Singh1
Contributor
Yes, that's correct. Do you have any confirmation whether with R80.40 that (kernel 3.10) will be supported for standalone deployment?

Any sharepoint or link from where I can get the R80.40 EA version gaia is? I have already registered to the above EA plan with no luck on the new gaia os.
0 Kudos
Dorit_Dor
Employee
Employee

1. Right now R80.40 comes only with kernel 3.10 which means that all modes are supported (gw, mgmt, standalone).
There should be dramatic event that will make us decide to go back to old linux flavor 

2. What do you mean “no luck”? We are starting the EA deployments more extensively this week. You had no luck in getting the ea? No luck in running stand alone ? other?

I assume that the EA team can assist you if you werent able yo use it but if we miss something, we are open to get feedback and improve

 

Abhishek_Singh1
Contributor
Thanks Dorit for the quick response .

"no luck" - I have enrolled in the R80.40 survey , but didn't get EA in my User Center account . I guess may be CP will need sometime to comeback to us for the evalution of the EA .
0 Kudos
David_Moss
Employee
Employee

Hi Abhishek,

We are in a process of replying to all R80.40 EA enrolments. Please reply my private message so I can have your details and check it out for you.

The Public EA program is about to start soon. Once started - you will be able to use your User Center's credentials and download R80.40 files.

You are also very welcome to join our Production EA program, which includes an EA engineer on site and full EA support. I'll be happy to introduce you with this program.

David

0 Kudos
FedericoMeiners
Advisor

@David_Moss 

I sent you a private message about one of our EA enrollment.

Thanks!

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
xman03
Participant

Awesome stuff here! Any chance the SND and multi-queue "on the fly" changes will also apply to VSLS?

0 Kudos
mbrandt1976
Explorer

No SAML for remote access VPN yet?  Any idea when integration with 3rd parties like OneLogin will be available?

0 Kudos
Nik_Bloemers
Advisor
Advisor

This looks very promising to me! Lots of great features and improvements. Great work!

0 Kudos
Alessandro_Marr
Advisor

Great news, but nothing about domains on GEO Policy exceptions. 

0 Kudos
PhoneBoy
Admin
Admin
Recommend you create a separate thread for this question so we can better understand the requirement.
From R80.20 onward, it is best to use the Access Policy with Updatable Objects, as this offers significantly more flexibility.
0 Kudos
phlrnnr
Advisor

The new clustering options look great for enterprises with egress points in multiple geographically disparate datacenters.  I assume state-synchronization will now work via Layer 3 so packets can egress either datacenter via routed links and not get dropped as out of state?

0 Kudos
PhoneBoy
Admin
Admin
We have supported Layer 3 sync in AWS/Azure for a while now as they do not support multicast.
Makes sense we would also roll this out on regular gateways as well.
0 Kudos
Nicklas_Bargell
Participant

Is Mobile Access due for integration in to R80 anytime soon?

0 Kudos
genisis__
Leader Leader
Leader

I also though a GUI based backup solution would now in R80.40 for Provider-1 so that you can backup individual CMAs?

 

It would be nice to see a complete list of new features and resolved issues.

0 Kudos
Tomer_Noy
Employee
Employee

The capability to back up individual CMAs was added in R80.40. 

It is easily used via CLI and we've also added REST API for it, since many customers wanted to automate it.

 

The UI didn't make it into this release and we'll look to add it in the next one.

0 Kudos
Dorit_Dor
Employee
Employee

Large part of the mobile access blade is part (and integrated inside) the access policy since the r80x first releases, just like data awareness is in the access policy now (while still having independent DLP policy option).

We keep also full independent policies for compatibility purposes and because some ppl want to separately edit them while the “integration” is done by running the needed functionality inside the same policy and this is available from the first R80 policy.

There is no active plan to further change the “independent policies” (they are given as they are). If there are needs on the main access policies or if the are bugs in the “independent policies”, they can be discussed with the product teams. 

TLS remains separate-edit due to its nature and therefore, went thru rewrite in R80.40 to have it more integrated while still having it outside of the main policy. 

Maria_Pologova
Collaborator

 

  • Support for ClusterXL Cluster Members that run different software versions.

Is this also applicable for VSX?

0 Kudos
David_Moss
Employee
Employee
Hi Maria,
Multi Version Cluster is supported only for SGW. The limitation is VSX related - in order to install policy with different versions on the VSX cluster members you need to upgrade the network object by 'vsx util upgrade'. Installing policy on the Lower version cluster member requires to downgrade the cluster object version, which is currently not supported.
0 Kudos
Guy_Elyashiv
Employee Alumnus
Employee Alumnus

Hi,

 

Let me be clearer on this - MVC for VSX works (and since it's planned to be enabled by default VSX customers who upgrade their environment will use MVC), however, changing the policy after the environment is already in multi-version requires the installation of the policy twice - both with the new version and the old one. While in standard cluster this is an easy operation, in VSX it requires the use of VSX util downgrade to change the VSX object to the old version before the installation, this util is not officially supported.

So the statement is that MVC for VSX has a limitation of changing the policy after the cluster runs in multi-version. We are currently working on making the VSX util downgrade to be supported officially but we cannot say if it will be available for R80.40 yet.

 

Regards,

Guy Elyashiv | Group ManagerClustering & Multitenancy

 


Regards,

Guy Elyashiv | Group Manager – Clustering & Multitenancy
0 Kudos
genisis__
Leader Leader
Leader

Do we know if support for different hardware appliances in a cluster will be supported?  

Example:

VSX Cluster with x2 12400's, at some point these will be end of life, so if we want to then replace the hardware without major work it would be really good if we can as an example run a mixed set:

x1 12400, x1 15600, then to x2 15600 as an example.

At this point, its my understanding that a cluster must have the same identical hardware. 

Guy_Elyashiv
Employee Alumnus
Employee Alumnus

Hi,

The main issue with mixed HW cluster is the difference in number of CPUs (that affects the number of FW instances).

As we already resolved the limitation of synchronizing connections from an appliance with lower number of instances towards an appliance with higher number of instances we can say that as an upgrade procedure using CU (Connectivity Upgrade) it can work and all connections will be synchronized.

This, however, will be less effective with MVC which synchronize connections both ways, so once the active member is the appliance with the higher amount of instances it will fail to synchronize some of the instances towards the standby member with the lower amount of instances.


Regards,

Guy Elyashiv | Group Manager – Clustering & Multitenancy
biskit
Advisor
"Support for BitLocker encryption for Full Disk Encryption."


Does anyone have any more details on exactly what Bitlocker support will be included?

I have a customer with Bitlocker on 700+ laptops and I'm trying to get them on to Check Point FDE.  It's going to be a long slow migration.  So what can Check Point 'do' with the existing Bitlocker laptops in the mean time?

 

 

0 Kudos
PhoneBoy
Admin
Admin
I'm pretty sure this means exactly what it does on the Mac with FileVault: you can use Check Point Management to manage the OS FDE settings on the Endpoint.
In the case of the Mac, this was required due to some changes Apple made in macOS that made third-party FDE products impossible.
I believe the Bitlocker support for Windows works on a similar principle.
The actual disk encryption happens with Bitlocker, but Check Point Management has visibility and control over the settings.

How that will work with laptops that are already encrypted with Bitlocker, I'm not sure.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events