Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

What’s New in Check Point’s Quantum R82 TechTalk: Video, Slides, and Q&A

Slides are posted below the Q&A, which is below the video.

When is first JHF for R82 planned?

Planned for December 2024 (not a formal commitment)

Is there any article related to deploying ElasticXL in R82?

Refer to Working with ElasticXL Cluster in the R82 Scalable Platforms documentation.

Is this relevant for Quantum Spark appliances?

Not currently, though an R82-based firmware for Quantum Spark appliances is planned for next year.

When will R82 be recommended version?

No specific timeline on this. For details on our release terminology, refer to sk95746.

Is it possible to have an R82 firewall with no CPM just like the ad-hoc SMBs?

Not currently. However, the Dynamic Policy layer in R82 does allow policy changes to occur via API to the gateway directly.

We would like to have site A and B under active/active architecture with ElasticXL, is this possible in this new release?

This is currently an Early Availability feature. Please work with your local Check Point office if you are interested.

Why WebConsole still don't have all of the privileges like the SmartConsole?

We are adding new functionality with each release. In R82, for instance, we've added support for:

  • Threat Prevention Rule Base
  • HTTPS Inspection Rule Base
  • NAT Rule Base
  • Rule Base search
  • Access Role Editor

In general, the reason Web SmartConsole doesn't support some features is because not all of them have full REST API support.

How can Check Point prevent targetted Zero day attacks, given to understand most vendors work on threat feeds and intelligence seen elsewhere? Especially when the attack is targeted to your organization?

Preventing targeted attacks is definitely more challenging.For this purpose we apply more sophisticated tools - analyzing the most basic & raw elements of the attack. For Example, every attack requires some infra such as registering a malicious domain, hosting it on some server exposing public IP etc. ThreatCloud Graph collects these raw elements as soon as the attacker builds his infra, it analyzes connections between the registrar, DNS servers, IPs and other indicators. These elements produce malicious indications without the need to rely on any known intelligence feed. This is one measure out of many others.

The brain behind Check Point's security is ThreatCloud AI, with AI and Machine Learning technologies that identify and block emerging threats that were never seen before. As presented, in R82 we released 4 new AI engines.

Is VSNext true virtualization now?

We are using Linux Namespaces similar to legacy VSX.

What virtualization is supported besides VMware?

Anything that uses KVM as a Hypervisor should work. See also: sk158292.

What is the status of new feature - Policy Advisor?

We are planning to launch it first for Smart-1 Cloud customers first...in the coming weeks. On-premise management connected to Infinity Portal will also be supported.

Is VSNext going to be covered by Smart-1 cloud?

Once your Smart-1 Cloud tenant is upgraded to R82, this will be supported.

How about migrating Legacy VSX to VSNext and/or ClusterXL to ElasticXL?

Currently, this is a manual process for both. We do plan automated migration tools in the coming months.

Is there any improvement to live monitoring of interfaces?

R82 includes support for Network Probe objects, which were primarily for VPNs, but can be used without VPNs also.

What appliances support R82?

All 2016 appliances and above. Refer to the Release Notes for a complete list as well as the supported upgrade paths.

Isn't the fail-open mechanism for HTTPS Inspection exploitable to brute-force attacks?

There is no guarantee, similar to server-side fail-open, where a malicious server can trigger fail-open in multiple ways. For maximum security, both of these features should be disabled. However, to ensure high connectivity and usability, these features can be useful.

In the case of a client-side fail mode, the clients are usually within the organization, making it less likely that they would be the source of an attack.

Is IPv6 fully supported for VSNext and ElasticXL?

VSNext is currently not supporting ipv6. will be supported in following JHF. ElasticXL is fully supporting IPv6.

In ElasticXL, without orchestrator appliances how are we going to connect our uplink interfaces?

ElasticXL connectivity is similar to existing ClusterXL with the addition of a management interface. There are no uplink interfaces.

Is it possible to prevent Quantum SMS and gateway to send any data to the cloud or will then some of the new features not work?

This requires Private ThreatCloud and is not specific to R82.

Is Copilot available for onprem management? Is there any requirement or just R82?

Supported with R81.20 and R82, requires a connection to Infinity Portal.

Upgrading from R81.20 to R82 on a supported platform with same load, same features (active blades) would have low/med impact on load (cpu, mem)?

Should be similar, uyes.

Any VPN tunnel monitoring improvements?

Yes, additional information is in cpview in R82.

Is Maestro management via Smart-1 Cloud coming some day in R82?

Already supported.

Which of these new AI features will be available with an NGFW subscription?

The new features will require NGTP/NGTX licenses.

In inbound HTTPS Inspection are we able to use multiple sni cert. in one policy rule ?

A single cert with multiple SNI is supported since R80.40.

Does ElasticXL also support HA? Or does it only support Load Sharing?

You have load sharing inside the site and HA between the sites. To simulate regular clusterXL HA, you would build two sites with single member per site.

When R82 version will be available for deployment of cloud guard in public clouds?

It should already be available for AWS, Azure, and Google Cloud.

With ElasticXL, it's going to be only one object to SIC with the GWs? Cloning group feature is going to disappear then ?

ElasticXL will use the Maestro method for keeping cluster members up to date. Cloning groups will still be supported for ClusterXL installations.

Can I cluster different appliance models with ElasticXL?

Works, but is not formally supported.

There are some advance DNS settings also in R82 management server, but i do not see discussions about them, are there old features and just visible on R82?

R82 provides new and enhanced DNS security capabilities with the addition of:

  • Advanced DNS protection against Non-Existent Domain (NXNS) Attack.
  • Support for DNS over HTTPS (DoH) protocol.
  • Configuration Granularity - Advanced DNS Security settings in the Threat Prevention profile. 
  • Detailed DNS Security statistics - Now available in the SmartView Dashboard.

ElasticXL needs a special license?

No, it does not. 

 

3 Replies
the_rock
Legend
Legend

Fantastic work guys.

Andy

0 Kudos
alexgnunez2
Explorer

When will Maestro solution with R82 be available in a dual active/active site environment?

(1)
PhoneBoy
Admin
Admin

I assume a future JHF.
@ShaiF should be able to confirm.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events