Exciting New Security Management Features in R80.4...

Eran_Habad · ‎2020-01-28

Hi everyone,

My name is Eran and I'm a Group Manager in the R&D of Check Point. My group is responsible for the core infrastructure of the Management Server and also for the Management API. As you probably know, R80.40 has just been released and we're very excited about over 100 new features, many of them are in the Security Management platform.

I invite you all to explore the What's New of R80.40 and specifically the Security Management section. The following new features were developed by my amazing group of R&D engineers and I encourage you to try them out and share your feedback:

Revert to Revision

The Security Management Server architecture supports built-in revisions. Each publish operation saves a new revision that contains only the delta from the previous revision allowing now safe recovery from a crisis by restoring a Domain or a Management Server to a good known revision.

Multi-Domain

Backup and restore an individual Domain Management Server on a Multi-Domain Server.
Migrate a Multi-Domain Security Management from one Multi-Domain Server to a different Multi-Domain Server.
Migrate a Security Management Server to become a Multi-Domain Security Management on a Multi-Domain Server.
Migrate a Domain Management Server to become a Security Management Server.

Management API

DevOps teams can automate their security and transform it into DevSecOps workflows using Ansible and Terraform. Automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine configuration tasks, saving time and reducing configuration errors.
- For more information about Check Point Ansible module see Check Point Ansible security modules
- For more information about Check Point Terraform provider see Check Point Terraform Provider.
Significant increase of performance for multiple set/edit/delete object commands with Batch API.
New Management API authentication method that uses an auto-generated API Key.
New Management API commands to create cluster objects.

SmartTasks

Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

Partial (infix) Search

Object search - support for partial word search using a wildcard, for example: a match is returned for searching *oba for an existing Host named: USGlobalHost.

Management Upgrade

Introducing a new Management Upgrade mechanism (under the hood) that includes:

New dynamic HTML upgrade report that shows the current status while upgrade is in progress and the final report once upgrade is done. ** Will be available starting next DA release **
New updatable code mechanism for delivery of upgrade fixes and enhancements, automatically downloaded as upgrade packages from the Download Center for online environments. This is also available for offline environments and requires to download latest upgrade package from the Download Center.

Note: the new Management Upgrade mechanism will be executed when upgrading from R80.20, R80.20.Mx and R80.30 to R80.40 (and to any future version).

Feel free to reply to this thread with comments or questions, or to reach me out privately. Also, you're welcome to stop by next week at the #CPX360 in Vienna and visit me in the Technology Innovation room, next to the Security Management table.

Enjoy R80.40!

Eran

Peter_Lyndley · ‎2020-01-28

Can i just clarify that we also have

Migrate a Security Management Server (R80.10+) to become a Domain Management Server (R80.40) ?
This is what MSPs have been waiting for since R80. Please tell me it is included

mdjmcnally · ‎2020-01-28

Migrate a Security Management Server to become a Multi-Domain Security Management on a Multi-Domain Server.

I how I read that was for R80+

Eran_Habad · ‎2020-01-28

Hi Peter,
Please see my answer here: https://community.checkpoint.com/t5/General-Topics/R80-40-Early-Availability-Program-Check-Point-Upd...
Shortly, the Domain migration is available now starting R80.40. Very soon we will include those abilities in R80.20 and R80.30 via Jumbo Hotfix, but Domain migration in or from R80.10 will not be supported, unfortunately, due to technical limitations.

Maarten_Sjouw · ‎2020-01-28

Does it matter if the SMS is running a VSX setup when you want to migrate that to a Domain Management Server?
Also I don't see anything about the report sharing feature nor the topology per VPN community?

Regards, Maarten

Eran_Habad · ‎2020-01-28

Hi @Maarten_Sjouw, when migrating from a Security Management Server to a Domain there is no limitation in regards to VSX - it is not an issue.

Also, note the features I listed are not ALL the new features of R80.40, I only highlighted few features which were developed under my ownership. The full list can be found here (and also in my post):

The full What's New of R80.40
The Security Management section

Maarten_Sjouw · ‎2020-01-28

Ok @Eran_Habad, that VSX is supported is a lifesaver.
On the SmartConsole updatable code, does it still allow me to leave the R80.30 installation on my machine?

Regards, Maarten

Maarten_Sjouw · ‎2020-01-29

@Eran_Habad, Where can I find a proper upgrade manual, I looked at SK137677 and SK135172 but those are very unclear, the first only shows R80.20 but looking past that, in the export and import commands which version do you need to put there:
The version you are coming from?
Even the Installation and upgrade Guide only shows moving a R80.40 SMS/DMS to a R80.40 SMS/DMS or R80.10/R77.30 and lower, but nothing about R80.20/R80.30
Tried this API method but that just fails without a proper error message.
The version you going to?
Next to that If I want to import a SMS into a Domain on a MDS, the migrate_server import tells me to run it from MDS level??

So which SK is giving proper info on migrations?

Regards, Maarten

Eran_Habad · ‎2020-01-29

@Maarten_Sjouw I'm sorry for the confusion with the SKs, we're now uploading the updated SKs following the release of R80.40 and few hours from now it will be clearer. @Itai_Minuhin will reply here when the SKs are ready and uploaded. In any case, the R80.40 Installation and Upgrade Guide has all the info very clearly so you shouldn't wait for the SKs. Note that for advanced upgrade there are different instructions for upgrade from R80.20 and higher, and upgrade from R80.10 and lower (due to the new upgrade mechanism for R80.20 and higher - see my original post).

For migrating SmartCenter to a Domain on a Multi Domain Server, you can see the instructions as part of the R80.40 Admin Guide or simply refer to sk156072 for all the info. The migration is based on API commands, so you can also check out the Management API Reference for the syntax of the commands (although they are written clear as part of sk156072). You're also invited to explore the new APIs in v1.6 (the API version for R80.40).

Hope this helps.

Maarten_Sjouw · ‎2020-01-29

Ok, SK156072 will only work for R80.40 and above, as it requires the API 1.6.
For R80.20/R80.30 we will wait for updated information.

Regards, Maarten

Itai_Minuhin · ‎2020-01-30

@Maarten_Sjouw SK135172 is now updated.
SK137677 will be updated soon as well.

Maarten_Sjouw · ‎2020-01-30

Thanks @Itai_Minuhin, I will check them out.

Regards, Maarten

KennyManrique · ‎2020-01-28

There is no details about enhancements on Policy Install. It seems still no Delta Policy Install on Gateways 😞

Eran_Habad · ‎2020-01-28

Hi @KennyManrique, we actually made few performance enhancements in the policy installation of R80.40, mostly in the policy verification process, which already show performance improvements - also reported by many of our EA customers of R80.40. Also, the policy verification and "rule hiding rule" logic do rely on the delta that was changed - this is not new in R80.40. We have major plans in our roadmap to promote fast policy installation, not necessarily by installing only the delta - we explore other directions as well. Stay tuned 🙂

JozkoMrkvicka · ‎2020-01-28

Is "new" feature Partial (infix) Search capable to find also IP ranges ? including IPv4 and IPv6 addresses?

Kind regards,
Jozko Mrkvicka

Eran_Habad · ‎2020-01-28

Hi @JozkoMrkvicka, the new partial search feature is aimed for finding an object by providing any sequence of characters from the object's name (could be in the middle of the name). Searching an IP in the objects bar and finding matches for ranges is supported today in R80.x already - try it out 🙂

Luis_Miguel_Mig · ‎2020-10-27

What is the difference in R80.40 then betwwen revisions and the policy installation history?
Or is policy installation history of any use? If there is a crisis and you need to rollback, rolling back to an old revision and installing is much better, no?
Although I have the impression now that they are both linked now and it is actually pretty much the same, isn't it?

SmartConsole, Management & Settings ->Sessions-> Revisions

SmartConsole, Security Policies -> Installation History

Timothy_Hall · ‎2020-10-27

Please see my article here for the answer to your question (and many more):

https://community.checkpoint.com/t5/Policy-Management/R80-Change-Control-A-Visual-Guide/m-p/39702

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

Tal_Paz-Fridman · ‎2020-11-01

Hi

Revisions are created when you Publish.

In the Revisions view, you will be able to compare two revisions or compare a revision to the current session.

And off course you can revert (rollback) to an older revision.

Installation History details the changes between two policies using the list of Audit Logs