Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tsvika_Akerman
Employee
Employee
Jump to solution

R80.40 Early Availability Program @ Check Point Update

 

 

Picture6781.png

 

R80.40 EA Program 

R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V. 


Enrollment // Production EA

 

online.png

 

• We are looking for R80.X / R77.X Production environment to evaluate the new version.

• Start date: Started 

online4 - Copy.png

 

Public EA (for Lab/Sandbox use) is now also available!

  • Log into UserCenter and Select Try Our Products > Early Availability Programs
  • In PartnerMap, it is Learn > Evaluate > Early Availability Programs
  • NOTE: Upgrade from Public EA to GA is not supported

 

Additional questions? contact us@ EA_SUPPORT@checkpoint.com

What's New 

IoT Security

A new IoT security controller to:

  • Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis). 
  • Configure a new IoT dedicated Policy Layer in policy management.
  • Configure and manage security rules that are based on the IoT devices' attributes.                      

TLS Inspection

HTTP/2

  • HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience. 
  • Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
  • Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS
  • Inspection capabilities.                      

TLS Inspection Layer

This was formerly called HTTPS Inspection. Provides these new capabilities:

  • A new Policy Layer in SmartConsole dedicated to TLS Inspection.
  • Different TLS Inspection layers can be used in different policy packages.
  • Sharing of a TLS Inspection layer across multiple policy packages.
  • API for TLS operations.

Threat Prevention

  • Overall efficiency enhancement for Threat Prevention processes and updates.
  • Automatic updates to Threat Extraction Engine.
  • Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects.
  • Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
  • Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
  • Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
  • Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.

Access Control

Identity Awareness

  • Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
  • Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing. 
  • Enhancements to Terminal Servers Agent for better scaling and compatibility.

IPsec VPN

  • Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides: 
    • Improved privacy - Internal networks are not disclosed in IKE protocol negotiations.
    • Improved security and granularity - Specify which networks are accessible in a specified VPN community.
    • Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
  • Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.

URL Filtering

  • Improved scalability and resilience.
  • Extended troubleshooting capabilities.


NAT

  • Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
  • NAT port utilization monitoring in CPView and with SNMP.


Voice over IP (VoIP)

Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.


Remote Access VPN

Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).


Mobile Access Portal Agent

Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.


Security Gateway and Gaia

CoreX L and Multi-Queue

  • Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
  • Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load.

Clustering

  • Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP

Broadcast or Multicast modes.

  • Cluster Control Protocol encryption is now enabled by default.
  • New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses.
  • Support for ClusterXL Cluster Members that run different software versions.
  • Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.

VSX

  • Support for VSX upgrade with CPUSE in Gaia Portal.
  • Support for Active Up mode in VSLS.
  • Support for CPView statistical reports for each Virtual System


Zero Touch

A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration.

Gaia REST API

Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.

Advanced Routing

  • Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
  • Enhancing route refresh for improved handling of BGP routing inconsistencies.


New kernel capabilities

  • Upgraded Linux kernel
  • New partitioning system (gpt):
  • Supports more than 2TB physical/logical drives
  • Faster file system (xfs)
  • Supporting larger system storage (up to 48TB tested)
  • I/O related performance improvements
  • Multi-Queue:
  • Full Gaia Clish support for Multi-Queue commands
  • Automatic "on by default" configuration
  • SMB v2/3 mount support in Mobile Access blade
  • Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
  • Support of new system tools for debugging, monitoring and configuring the system

 

CloudGuard Controller

  • Performance enhancements for connections to external Data Centers.
  • Integration with VMware NSX-T.
  • Support for additional API commands to create and edit Data Center Server objects.


Security Management

Multi-Domain Server

  • Back up and restore an individual Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
  • Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server to become a Security Management Server.
  • Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.

SmartTasks and API

  • New Management API authentication method that uses an auto-generated API Key.
  • New Management API commands to create cluster objects.
  • Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.
  • SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

Deployment

Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.


SmartEvent

Share SmartView views and reports with other administrators.


Log Exporter

Export logs filtered according to field values.


Endpoint Security

  • Support for BitLocker encryption for Full Disk Encryption.
  • Support for external Certificate Authority certificates for Endpoint Security client
  • authentication and communication with the Endpoint Security Management Server.
  • Support for dynamic size of Endpoint Security Client packages based on the selected
  • features for deployment.
  • Policy can now control level of notifications to end users.
  • Support for Persistent VDI environment in Endpoint Policy Management.

 

online.png

 

83 Replies
biskit
Advisor

Thanks @PhoneBoy   Do you have access to anyone else within CP who could add more detail to this?  The customer in question moves very slowly so E80.40 will be GA by the time they get to using it, but I need to have the conversations now to get them on board, so I could really do with knowing exactly what this will provide in terms of management of Bitlocker, and also crucially to this conversation, will it offer me an easy(!) route to migrating from Bitlocker to CP FDE?  

0 Kudos
David_Moss
Employee
Employee
Hi Matt,
I've contacted the relevant owner and will update soon with details regarding your question.
Would you like to enrol the Production EA program? we can schedule a phone call and discuss the details if you are interested.
0 Kudos
biskit
Advisor

Hi @David_Moss,

Thanks for your note.  I look forward to your further update.  At this stage I don't need to join the EA (the customer isn't interested in running on EA code) but more detail on what exactly it will do would be a great help 👍

0 Kudos
David_Moss
Employee
Employee
No Problem. I'll keep you updated regarding your question, and please feel free to contact me if you have additional questions.
0 Kudos
FredrikG
Employee
Employee

Hi,

Check Point Endpoint Security (client) will have BitLocker Management as an option in the
Full Disk Encryption Blade policy.


As you know, BitLocker is an integrated part of Windows. The Check Point BitLocker Management feature uses
the Endpoint Security Server, Client Agent and Management UI to manage BitLocker. TPM is required for Managed BitLocker.

 

Existing BitLocker Encrypted machines can be "taken over" and  put under Check Point Endpoint Security Management without being decrypted as long as the policy is using BitLocker Management. Recovery Keys and Data will then be uploaded to the Endpoint Management Server. 

Switching from BitLocker to Check Point FDE is easy, once the machines have been put under BitLocker Management. At least from a management perspective, just change the policy to use Check Point Full Disk Encryption. Note however that this operation will trigger a BitLocker decryption followed by FDE encryption. This re-encryption is a fairly long process and also leaves parts of the disk in clear text during the operation.

0 Kudos
biskit
Advisor

Thanks @FredrikG, that update is music to my ears 🙂  I will let the customer know and press ahead to get that deal.

0 Kudos
Garrett_DirSec
Advisor

hello -- will R80.40 include the long-awaited in-place upgrade option for SmartConsole client?

Dorit_Dor
Employee
Employee

Unfortunately no ... to be included, we needed to finish the development by by now 

The good news is that the project is now under work and we have intention to include in R80.50

Garrett_DirSec
Advisor

Hello @Dorit_Dor , thanks for the insight on in-place upgrade for SmartConsole and R80.50 target.    Aren't we getting close to release of web-based policy mgmt (or is this R81)?

JozkoMrkvicka
Mentor
Mentor

I second that.

We are living in a cloud world, so why we are forced to install the program on (and only on) Windows workstation in order to work with Check Point products. We need a web-based solution of management that can be placed into any Linux machine running Apache and accessed without the need to have a dedicated Windows machine where is installed only Check Point SmartConsole.

Kind regards,
Jozko Mrkvicka
JonnyV
Contributor

at least it's not using Java like Cisco's ASDM; .NET is kinda awful though

0 Kudos
Duane_Toler
Advisor
Indeed. I'd like a Mac client, tho. 🙂
0 Kudos
Duane_Toler
Advisor

You *really* don't want a web-based management.  You think you do, but you don't.  Look at Cisco's Firepower Management Center.  It's web-based.  It's awful.  They tried, and keep trying.  They got the right idea, but web-based is just awful (but it is "less bad" than ADSM).  Look at PAN, same thing.  Look at $OTHER_VENDOR, same thing. Web is awful.  It's an intrinsically asynchronous service.  It's not made for this.  You can make an asynchronous transport into a synchronous transport.  That pig won't stay on course when it's flying.

 

Meanwhile, Check Point gave out the APIs so you can roll your own $WHATEVER.  The management client in-place upgrade will be nice (I'm exhausted on the many times I've had to uninstall/reinstall for Endpoint management and HFA updates), but it's still the right thing.

Garrett_DirSec
Advisor

@Duane_Toler  thanks for your input.  what specifically do you not like about PAN interface (specifically v8x or v9x)?  

Personally, I would like CP to continue to expand on their SmartView work with web-enabling common mgmt interfaces. HTML5 FTW!! 

Martin_Valenta
Advisor
True story!
0 Kudos
CSR
Contributor
Completely agree with @Duane_Toler . Smart Dashboard is much much better than any Web-based management.
0 Kudos
Garrett_DirSec
Advisor

I acknowledge and understand there are two primary camps are far ends of divide:  thick client and web-based mgmt.

Are the folks so enamored with thick client currently OK with fact no in-place client update is possible?    I had customer last week asking legitimate questions along lines of "checkpoint is billion dollar company and the mgmt client for the foundation product (a) doesn't do in place upgrade, and (b) un-install of Smartconsole loses all saved preferences and tweaks".    He had no other commercial mgmt tool that offered such a severe limitation.    @Dorit_Dor did mention that in-place update currently planned for R80.50 but that's another year+ away. 

It's unclear how current generation HTML5-based web interface would be any less functionality.   In addition, the numerous security professional using MAC laptops would be able to freely mgmt CP platform without frustrating need for virtualization and/or jump hosts.  

  My preference is CP makes a decision and sticks to it (ie. not doing both).    The current SmartView features bode well for HTML future... 

0 Kudos
Tomer_Noy
Employee
Employee

The Management & SmartConsole are developed under my ownership, so I will try to answer:

1) It is definitely not OK that SmartConsole needs to be manually installed and uninstalled for getting fixes / updates. In the past when updates were infrequent, it may have been reasonable, but not today with the jumbo updates.

2) It is not OK that preferences are lost when updating SmartConsole.

3) We had some delays with the updatable SmartConsole development (mainly due to other high priorities that came in), so we are behind schedule for sharing it with the field during 2019. However, we are not waiting for the release of R80.50. The plan is to release another flavor of SmartConsole that will be auto-updatable during Q1. We will release it to versions that are already GA (such as R80.40 and R80.30). The new package will be available in parallel to the existing one, and customer will be able to choose the new flavor early if they wish.

Duane_Toler
Advisor
This sounds really great! Looking forward to in-place client upgrades!
0 Kudos
Garrett_DirSec
Advisor

Sincere thanks @Tomer_Noy .   we appreciate the insight.  

0 Kudos
Xiaole_Chen
Employee Alumnus
Employee Alumnus

@Tomer_Noy  Hi, do you have any update on SmartConsole getting the update/hotfixes automatically ?

0 Kudos
Garrett_DirSec
Advisor

hello @Xiaole_Chen .    I recall @Dorit_Dor stated in another thread that in-place Smartconsole updates were target for R80.50.

while not an exact answer to your question, the R80.50 feature would address the most pressing customer complaint:  "having to un-install/re-install SmartConsole with each new release -- AND -- losing your end-user preferences in the process". 

I understand this new build will also notify end-user when new release is available. 

Alternatively, if your question is along the lines of "instant updates" similar in form/function to local-install apps for Office 365, this would be wonderful (ie.  no perceived installation events at all...).     Office 365 apps includes "beta" toggle as well so you can see new features easily (and turn-off just as easily).

0 Kudos
PhoneBoy
Admin
Admin
With the "as a service" trend continuing, I think it's safe to say web-based interfaces of some sort will be a thing.
Blason_R
Leader
Leader

Any improvements on EPM? Dont see any.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
RickHoppe
Advisor

Is there any news on the Public EA release date?

My blog: https://checkpoint.engineer
0 Kudos
David_Moss
Employee
Employee
Hi Rick,
there is no official date yet, but we expect the Public EA program to start very soon. we will publish once it starts.
thanks, David
0 Kudos
genisis__
Leader Leader
Leader

Does anyone know if CP are going to add a comments field on gateway properties for routes.  It's available in GAIA, but not for VSX routes.  This is something that would be really useful to keep track of routes.

PhoneBoy
Admin
Admin
Don't believe this is planned, at least for R80.40.
0 Kudos
Blason_R
Leader
Leader

Wondering if 80.40 has a backup VPN functionality? Or VPN redundancy with third-party vendors?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Garrett_DirSec
Advisor

I had a customer asking for this "redundant remote access VPN" functionality as well.   I perceive that MEP is a site-to-site functionality and not relevant for remote access VPN (don't know for sure).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events