Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81.10 EA Program | Production

Tsvika_Akerman
Employee
Employee
5 47 16.7K
 
 

1.JPG

 

Welcome to Check Point’s Cyber Security Platform R81.10, the industry’s most advanced Threat Prevention and security management software that delivers uncompromising simplicity and consolidation across the enterprise. Whether it is deploying the latest technologies and security to protect the organization or expertly crafting security policies, R81.10 enables enterprises to be their best. Now with the newest version, R81.10 delivers feature parity with Check Point Maestro, in addition, the Scalable Platform software delivers the option to mix and match security gateways in the same Security Group to maximize cost-efficiency. R81.10 introduces the ability to automatically update the Smart Console with the latest fixes and improvements all while accelerating the administrator's daily operations. R81.10 enhances Infinity Threat Prevention, the industry’s first autonomous Threat Prevention system that provides fast, self-driven policy creation and one-click security profiles keeping policies always up to date. Policies are installed in seconds, upgrades require only one click, and Quantum gateways can be simultaneously upgraded in minutes.

 

Enrollment | Production EA

 Early Availability Production Programs let you experience and participate in shaping Check Point products by test driving pre-release versions and providing detailed feedback.

Enroll Now: https://www.surveymonkey.com/r/cp-ea-r81-10-enrollment

Following the enrollment survey submission, we will contact you in order to review the details, answer questions and agree on the process.

Additional questions? contact us@ EA_SUPPORT@checkpoint.com

 

New in this release

 Quantum Security Gateway and Gaia

Quantum Maestro Hyperscale*

  •        Mix appliances - The ability to include different appliance models in the same Security Group.
  •        Maestro Orchestrator is aligned with the latest version as part of the main-train release and includes the latest Gaia fixes and improvements.
  •        All VPN functionality is now supported:
    •        Route Based VPN.
    •        Permanent Tunnels.
    •        Link Selection Load Sharing.
    •        Service Based Link Selection.
    •        Route-based probing for Link Selection.
    •        Back-to-back tunnels (hub and spokes).
    •        Dynamic Routing through VPN tunnels.
    •        Identity Awareness through VPN tunnels.
    •        Members’ local connections through VPN tunnels.

VSX

Configure Bridge and Multi-Bridge interfaces on a regular Virtual Systems not in Bridge Mode to use features that require an IP address to work, such as Identity Awareness, Threat Emulation, UserCheck Web Portal and Captive Portal.

IPsec VPN

VPN performance enhancements -
Site to Site VPN and Remote Access clients
are now handled by two different processes.

Access Control

Enhance security by setting default values to Access Rules when the last object in a rule’s cell is removed.

Advanced Routing

  •        IPv4 PIM enhancements. and stability fixes.
  •        Ability to clear OSPF error counters.
  •        OSPFv2 Graceful Restart with ClusterXL.
  •        Static Multicast Forwarding.
  •        Support for different ECMP algorithms.

ISP Redundancy

Support up to 10 ISP links.

 

Quantum Security Management

Security Management Servers enchantments

  •        Infallible Management Login - Improved stability of the log-in process to the Management server using SmartConsole or Management API, when the Server is under load.
  •        Significant improvements for the stability and performance of the Security Management Server, especially for large Management environments under high load:
    •         Admin operations to the Security Management Server such as backup and restore, and revisions purge are drastically faster.
    •        Faster Management API functions execution.
    •         Search and navigate in SmartConsole is smoother when concurrent SmartConsole administrators are connected

Management REST API

  •        New export, import, and upgrade Management APIs for primary Security Management Servers or Multi-Domain Servers.
  •        Unified Management API commands for server export and import, Domain backup and migration.
  •        SmartLSM - REST API commands to simplify the creation of ROBO Gateways.

SmartConsole

Automatic updates - SmartConsole detects and installs client updates for the same major version.

Logging and Monitoring

  •        IPS and Anti-Bot logs now include a MITRE ATT&CK section that details the different techniques for malicious attack attempts. This Section provides an easier way to understand an attack by looking at the log card and to export the data to external SIEM systems, and an easy search and filter for attack events based on MITRE techniques.
  •        Dynamic logs distribution - Configure the Security Gateway to distribute logs between the active Log Servers to reduce CPU and Disk utilization.
  •        Enhancement to logging services stability.

CloudGuard Controller

  •        Use AWS Security Token Service (STS) Assume Role to simplify the access to AWS Data Centers.
  •        Support all Microsoft Azure Data Center locations.

Management High Availability

  •        Synchronization and stability enhancements.
  •        Significant Full sync duration improvement.

Multi-Domain Server

IoT support for Multi-Domain Security Management.

SmartLSM

Use group object, Multiple IP addresses and IP ranges in LSM profiles

Endpoint Security VPN

  •        Endpoint Security Web Management enhancements to allow the configuration of:
    •        Media Encryption & Port Protection policy
    •        Firewall policy
    •        Application Controlpolicy
    •        Developer protection policy

Push Operation for Host Isolation and Client Uninstall

 

 

*Quantum Maestro Hyperscale - Will not be part of R81.10 EA program

47 Comments
HristoGrigorov

I am about to migrate our prod. SMS from R80.40 to R81 and although I don't want to bind in any "bloody  engagement contract" I will try to provide feedback if something goes terribly wrong. So, whish me good luck... 😉

Evan_Gillette
Explorer

Is it fair to assume that this statement
"Maestro Orchestrator is aligned with the latest version as part of the main-train release and includes the latest Gaia fixes and improvements."

implies Maestro will support things like generic data center objects? That is listed as a limitation of r81sp

PhoneBoy
Admin
Admin

This is referring to the software image that runs on the orchestrator itself, which I believe is currently on R80.20SP. 
There may be some Maestro-specific limitations (though we are working to remove them).

Tal_Ben_Avraham
Employee
Employee


@Evan_Gillette  - as @PhoneBoy  mentioned, This is another step to the complete unification (integrating MHO code into main-train). Now MHO and GW (SGM) is part of main releases and will be included in all main-releases. However, though this doesn't mean all features will be supported for SP (please keep following limitation notes), you can expect all gaps/limitations to be reduced significantly in each new version.

In addition, all new features/capabilities are expected to be supported for SP.

Douglas_Araujo
Participant

For the ISP Redundancy section, will be any other enhancement on this feature or only support for 10 ISP's?

Because only increasing the number of ISP's without any other enhacement (set link priority based on application, set routing through one specific ISP in a simple way - without PBR, monitor link quality - latency, jitter, available bandwith), will continue to be a poor feature in the solution.

And, at least for me, it will continue to be a "not recommended for use" when I meet a customer that wants to use ISP redundancy with Check Point.

Magnus-Holmberg
Advisor

Within Dorits roadmap there was some pictures on SDWAN like features where things like link quality, cost etc was included.
Not sure in what release it will be included, but it seams to be on the roadmap atleast 🙂

Regards,
Magnus

Garrett_DirSec
Advisor

I've been working with local CP partner engineer on the SD-WAN specifics.   the info I learned is now months old.

I was the guy who Dorit addressed the topic of buying SD-WAN company or develop in-house during CPX 2021 (Americas). 

  • develop in-house
  • target # sites ~~ 30
  • public EA target late Q3
  • full GAIA priority -- SMB GAIA to follow at "later date" 
  • everything subject to change.

PS -- curated this content to avoid any concerns about proprietary info. 

PhoneBoy
Admin
Admin

@Garrett_DirSec I believe the target release for those features is R81.20, FYI.
Again, subject to change. 

the_rock
Legend
Legend

I dont see much difference between R81 itself, but so far, no complaints, running fine...hope I did not jinx it : )

shlomip
Employee Alumnus
Employee Alumnus

@the_rock ,

Are you running R81 or EA version of R81.10?

Garrett_DirSec
Advisor

thanks @PhoneBoy for the release details. 

the_rock
Legend
Legend

@shlomip...its R81.10 version.

JozkoMrkvicka
Mentor
Mentor

I see that R81.10 is in Public EA available within Early Availability Programs

Once registered, going to Download section I am redirected to some odd page.

Is that only me who is not able to download the files ?

Thank you.

shlomip
Employee Alumnus
Employee Alumnus

@JozkoMrkvicka ,

Is the download page unavailable? this link you redirected too is the "Download agreement" page - are you getting this page? ( when pressing the "Odd page" that is what i get) follow which you expect to get the download page

There might be some networking issues, try deleting cookies and make sure you made the registration itself

, if that persist - Please let me know

 

 

 

JozkoMrkvicka
Mentor
Mentor

@shlomip 

I am registered to R81.10 Public EA:

 

The "Download agreement" page is shown. When I click on Accept:

image.png

shlomip
Employee Alumnus
Employee Alumnus

 

@JozkoMrkvicka ,

you are there, Just press the accept button and you will be directed to the download page

Then just choose R81.10, press "Search" and you will get the download list

 

 

R81.10 Public EA Search.PNG

Ted_Serreyn
Collaborator

I also get a message after accepting the license agreement and am NOT able to download.

 

 

 

Our apologies, the Early Availability Program you are attempting to access does
not exist in the system or you are not entitled to access it.
To access an Early Availability Program, please register at the User Center.

shlomip
Employee Alumnus
Employee Alumnus

hi @Ted_Serreyn ,

Thanks for letting us know.

We are looking into that and will update

 

Shlomi

the_rock
Legend
Legend

One thing I noticed, which I find very odd...I saw this with 2 customers, as well as in my lab R81.10. Say if you enable infinity threat prevention, lets you apply the policy fine, but then sometime during next 24 hours, policy keeps failing until you disable infinity threat prevention and just enable IPS blade itself. Im not sure why this happens, but I experienced exact same issue in lab with trial license that covers any blade.

 

Ideas, suggestions?

shlomip
Employee Alumnus
Employee Alumnus

@Ted_Serreyn , @JozkoMrkvicka ,

You should be able to download the files now, please let me know if you still encounter any issue.

Thanks and Sorry for the inconvenience 

 

Shlomi

shlomip
Employee Alumnus
Employee Alumnus

@the_rock ,

Let me Check about the infinity Threat Prevention issue you raised and get back to you

 

Shlomi

randolchen
Participant

Hi @PhoneBoy, have you heard any news for the replacement of the LoginParam XML file for auto connect feature on the SmartConsole.exe?. I heard that it will be replaced by using some SSO token instead.

 

kind regards,

Randol

the_rock
Legend
Legend

Thanks a lot @shlomip . Honestly, I am little surprised I had this issue with R81. I had someone from Israel office give me presentation about it couple of months back, but we never really got into troubleshooting the problem, just the features, which is great, but if the issue is there, solution for it would be nice : )

shlomip
Employee Alumnus
Employee Alumnus

@the_rock ,

I will contact you offline for this

 

Shlomi

Jason_Elmore1
Participant

Still unable to download the EA, same message as above.

 

Jason

Daniel_Kavan
Advisor

Can I upgrade from R80.40 to R81.10 EA?   I think the answer is no, need to reformat and clean install.   Once I'm on R81.10 EA, can I upgrade to R81.10 GA when it comes out?   I think the answer is no, need to reformat and clean install. 

shlomip
Employee Alumnus
Employee Alumnus

@Jason_Elmore1 ,

This should not happen, we are looking into this from our side.

meanwhile ,please make sure you were logged in and registered to the program 

shlomip
Employee Alumnus
Employee Alumnus

@Daniel_Kavan ,

to answer your questions

 

Can I upgrade from R80.40 to R81.10 EA?  Yes. You can. the public EA contains the upgrade package and instructions. Please  follow it

 Once I'm on R81.10 EA, can I upgrade to R81.10 GA when it comes out?  You can technically. But we do not support it with the public EA ( e.g. EA 2 GA upgrade issues). You can also see that the public EA program is intended for lab purposes only. (See its limitations/disclaimer)

You can however, join our private EA program and enjoy that support and more.

 

HTH

 

Shlomi

shlomip
Employee Alumnus
Employee Alumnus

@Jason_Elmore1 ,

R81.10 public EA Download should be OK now. Please let me know if you experience any more issues.

 

Sorry for the inconvenience 

 

Shlomi

PhoneBoy
Admin
Admin

FYI, in the context of a public EA, we have never supported EA to GA upgrades.
This is one of many advantages of participating in the private EA program 🙂

Jason_Elmore1
Participant

It's working now, thanks.

 

 

Jason

 

shlomip
Employee Alumnus
Employee Alumnus

@Jason_Elmore1 ,

Glad to Hear. You are welcome to contact us with any feedback regarding R81.10

shlomip
Employee Alumnus
Employee Alumnus

Just to close the loop with @the_rock , and the  the infinity Threat Prevention issue, we discussed this  offline and it was solved.

the_rock
Legend
Legend

Thanks @shlomip , appreciate all the help!

 

Andy

Paul_Hagyard
Advisor

In the past it has been possible to liaise with TAC to provide an upgrade path from public EA to GA, typically with some custom scripts. There are no guarantees however, which makes running public EA only viable for a basic lab. Rebuilding my home environment manually would take hours, the API doesn't cover everything, and migrate export/import is no help after weeks have gone by.

How are people finding R81.10 in terms of stability? I've recently rebuilt my R81 gateway back to R80.40 as R81 was intermittently dropping DNS reply traffic from Internet name servers. I've also had numerous issues with my R81 SmartCenter refusing to authenticate SmartConsole logins - until after cpstop/cpstart.

shlomip
Employee Alumnus
Employee Alumnus

@Paul_Hagyard ,

We have positive feedback so far on R81.10 from our EA program in terms of stability, we pay close attention to it as well as to quality. 

I am not familiar with the specific R81 issues you raised, if you have any references will be happy to try and assist/review them

JackOtero
Explorer

When will we have ISP redundancy compatibility for VSX - VSLS environments? I am a customer who is passing his entire environment to VSX and this limitation forces him to have other devices to do this work.

They must work on this limitation urgently

PhoneBoy
Admin
Admin

@JackOtero if this is an urgent requirement, please bring it through your local Check Point office.

_Val_
Admin
Admin

@JackOtero I second what @PhoneBoy said, please raise an RFE with your local Check Point guys.

JackOtero
Explorer

@PhoneBoy Solved with separate devices to realize ISP redundancy. My point is CheckPoint should work in future releases ISP redundancy support for VSX - VSLS environments.

 

Will_H
Contributor

@JackOtero There are better solutions than ISP redundancy. ISP redundancy opens up a whole can of worms and caveats that would need to be evaluated every time you want to change something. ISP redundancy IMO is something better left to the external routers who are usually running BGP.

Again, my option, its much less hassle to let the external interface of your firewall have 1 VIP and not 2 or 3, with weights, DNS foolery for inbound stuff and all the other shenanigans. 

Sure there are use cases but the con's far outweigh the pro's. 

Buy bigger circuits, or move that ISP load balancing function to the routers.

 

My 2 Cents.

PhoneBoy
Admin
Admin

I believe the way we are handling this going forward @JackOtero is by enhancing Policy-Based Routing and the like to handle these features, which should work with VSX.
That said, this problem is likely better solved with an upstream router handling this. 

JackOtero
Explorer

I think the best solution is to add ISP redundancy for VSX - VSLS environments, this compatibility should be there for future updates.

Pauli
Participant

Requires the Feature

"Access Control

Enhance security by setting default values to Access Rules when the last object in a rule’s cell is removed."

 

R81.10 on Management Server AND Gateway or R81.10 on Management Server only (and the GWs with R80.40/R81)??

PhoneBoy
Admin
Admin

@Pauli I don't believe this requires upgrading gateways.
It does require configuration, though.

JackOtero
Explorer

You can show me a SK where I show how to make the settings?. I have 2 internet channels, with published web servers and client VPN connections pointing to them

PhoneBoy
Admin
Admin

@JackOtero please create a new thread for your question.

Labels