Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81.20 EA Program | Production

Tsvika_Akerman
Employee
Employee
10 20 16.8K
 
 

CM_R81.20_EA.JPG

 

Check Point Quantum R81.20 is packed with new features. that offer elasticity, efficiency, and innovative security enhancements


Quantum IoT Protect offers enterprise IoT device discovery embedded into Quantum Gateways and applies autonomous zero-trust policies that are automatically updated based on device type, risk level, and industry best practice, making it easy to secure IP cams, smart TVs, wi-fi printers and much more.

Zero-Day Phishing Prevention, powered by patented technologies and AI engines, prevents access to the most sophisticated phishing websites, both known and completely unknown, without the need to install and maintain clients on end-user devices.

Continuing to innovate Maestro, several new features improve efficiency, elasticity, and compatibility with public clouds. The new Autoscaling feature in Maestro Hyper-scale lets you automatically allocate resources across security groups (based on your priorities), bringing cloud-like scale and agility to your prem-based security (for example, to accommodate peak traffic hours). To support high-speed, high-volume transaction environments (e.g. digital trading), Maestro now offers accelerated data paths for higher throughput and lower latency based on predefined rules (“Fast Forwarding”).

Enhancing the gold standard in Security Management: Quantum R81.20 lets you leverage the new Management API to integrate security from the ground up and efficiently manage access policies with support for dynamic policy objects taken from external sources. A new workflow now supports policy change management to minimize errors, allowing verification for new policies before they are applied and enforced throughout (“4 Eyes Principle”). And automating VPN connections to public clouds, R81.20 makes it easy to connect your Quantum Gateways with data centers hosted in the public cloud. Offering simplified user authentication with third party SAML Identity Providers, authentication is modernized and improved for administrators log-in to SmartConsole as well as remote users accessing corporate assets. This enables SSO, MFA, and compliance checks, and complements current support for third-party Identity Providers by the Identity Awareness blade.

 

Enrollment | Production EA

Early Availability Production Programs let you experience and participate in shaping Check Point products by test driving pre-release versions and providing detailed feedback.

Following the enrollment survey submission, we will contact you in order to review the details, answer questions and agree on the process.

Enroll Now 

 Additional questions? contact us@ EA_SUPPORT@checkpoint.com 

 

New in this release

 

Quantum Security Gateway and Gaia

Threat Prevention

  • Prevent browsing to Zero-Day phishing websites
    • Check Point Quantum Security Gateway enhances its web browsing protection to further prevent users from accessing phishing websites.
    • Powered by patented technologies and AI engines, the Security Gateway now uses Clientless In-Browser protection to prevent access to the most sophisticated phishing websites, both known and completely unknown (zero-day phishing websites).
    • The enhanced solution is available through the Security Gateway network flow, introducing dynamic security components that run within the browser with no need to install any client.
    • Delivered as part of your existing NGTX license.
    • Works out of the box for Security Gateways with Autonomous Threat Prevention enabled.
  • Up to 50% performance enhancement to IPS CIFS protections.
  • IOC feeds now support a significantly increased capacity in the number of observables for URLs, Domains, IP addresses, and Hashes - 2 million and up to hardware limit.
  • Support for inspection of FTPS by Content Awareness, Anti-Virus and Threat Extraction blades.


Maestro Hyperscale

Maestro Fastforward -Significantly Improved throughput and latency for trusted connections. Maestro Fastforward offloads accept or drop policy rules to the Maestro Hyperscale Orchestrator for hardware acceleration.

  • Sub microseconds latency.
  • Port line-rate throughput for single connection.
  • Support for Accelerated policy installation on Maestro Security Gateways. For more information see sk169096 .
  • Support gradual upgrade with Multi Version Cluster (MVC)
  • Based on the current traffic load, the Security Gateway automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue configuration for zero traffic impact.
  • Management Data Plane Separation (MDPS) support for Scalable Platforms.

 

IoT Protect

Leverage Quantum Security Gateway and Infinity to instantly discover IoT devices and enforce independent Zero-Trust policies.

  • Only allow what's needed for the device to operate.
  • Automatic grouping based on device type.

 

IPsec VPN

  • Seamless site-to-site tunnel establishment with AWS native cloud VPN. Setup a route-based VPN tunnel with a virtual Gateway with just a few simple steps.
  • Major performance and stability improvement for Remote Access and Site to Site VPN that delivers a much higher capacity for VPN tunnels.
  • Extended Security Gateway certificate validation capabilities for faster authentication.

 

Access Control

  • Network Feed Object - Use a Network Feed object to get dynamic IPs or domains of a specific external service that is not included in the Updatable Objects options. In addition, the user can create its own service containing a list of IPs or domains and have them in his policy. The object is automatically updated in Security Gateway without the need to install the policy.
  • Performance improvements - support for Updatable Objects, Domain objects, and Dynamic objects with the Optimized Drop feature (drop templates).

 

Advanced Routing

  • Support for Intermediate System (IS-IS) routing protocol.
  • DHCP Relay Agent Information Option 82 that addresses several scaling and security issues arising in public DHCP use.
  • OSPFv3 NSSA support.
  • IPv6 Static MFC Cache to enable forwarding of multicast data without PIM configuration.
  • Support for Routed control scripts to allow ClusterXL fail-over and tear down of BGP connections.
  • Routing Protocol History for BFD to improve troubleshooting capabilities.
  • Netflow Live connections and Firewall rule ID UUID.

 

 

Gaia Operating System

  • Configure a retention policy for Gaia scheduled backups and snapshots.
  • Using the CLI, monitor the module temperature, module supply voltage, TX Bais voltage, Rx optical Power, and TX optical power for a single transceiver or all transceivers on an appliance.
  • Automatic update to the NIC firmware during the ISO installation process for appliances that have 40GbE, 100/25GbE, and/or SmartNIC acceleration cards.

 

CoreXL

In UserSpace Firewall (USFW), the number of IPv6 instances can equal the number of IPv4 instances, allowing the configuration of the gateway to process a more significant amount of IPv6 traffic.

Identity Awareness

  • The Identity Awareness Gateway automatically identifies and excludes Service Account sessions acquired by the Identity Collector. For more details, see sk174266.
  • Improved resiliency, scalability, and stability for PDPs and Identity Brokers. Additional threads handle authentication and authorization flows.
  • Automatic tuning of nested LDAP groups - The Identity Awareness Gateway automatically chooses the optimal way to query the LDAP server for users and groups.
  • During a PDP failure, a PEP Identity Awareness Gateway can recover its identity database from connected PDP Gateways.
  • Identity Collector is now supported with Quantum Spark Appliances.

 

Mobile Access

Oauth 2.0 support for Capsule Workspace and Office 365.

 

Quantum Security Management

General

Performance improvements to IPS updates and utilization.

SmartConsole

Administrators can use SAML 2.0 to configure SmartConsole users to authenticate with an Identity Provider.

SmartWorkflow

Send policy and configuration changes for peer review and approval before publishing.

Management REST API

Management API support for:

  • Identity Awareness configuration on gateways and clusters.
  • HTTPS Inspection outbound certificate configuration.
  • Creation of LSM Gateways.
  • Creation of LSM Gateways VPN configuration.

 

Upgrades

  • Central Deployment- Use SmartConsole to:
    • Gradually upgrade Quantum Cluster Members.
    • Upgrade Quantum Spark and Quantum Edge Appliances.
  • Pre-Upgrade Verifier results are now presented in the upgrade report.
  • Significant performance improvement by importing Domain Management Servers concurrently instead of sequentially.

 

CloudGuard Network Security

  • CloudGuard Controller support for:
    • Oracle Cloud Infrastructure (OCI)
    • Nutanix
    • New Azure resources – Application Security Groups, Private Endpoints
    • New AWS resources – Load Balancer tags
  • Nutanix Flow support for CloudGuard Network Security Gateways.
  • Amazon Web Services (AWS):
    • Security Gateway, Single, High Availability Cluster, Auto Scaling Group (ASG), Gateway Load Balancer Auto Scaling Group (ASG), Transit Gateway with ASG.
    • AWS Gateway Load Balancer support.

 

Harmony Endpoint

Endpoint Policy Management

Use SSO to connect to the Endpoint Web Management Console.

Remote Access VPN

Authenticate Remote Access VPN users with SAML.

 

 

 

20 Comments
rami
Participant

Nice!

 

RickHoppe
Advisor

How do you actually enroll this time? "Enroll Now" is not a link to a survey.

JackOtero
Explorer

No enhancement for VSX, such as the much desired ISP redundancy. Internet

_Val_
Admin
Admin

@RickHoppe and all, we have a bit of an issue with registration forms. before it is fixed, the best way is to send a PM to @Tsvika_Akerman for enrolment. 

Naor_Nassi
Employee
Employee

@JackOtero R81.20 will include support for DHCP server per VS.

Other than that it will include overall quality improvement as well. 

Chris_Atkinson
Employee Employee
Employee

@JackOtero Further to Naor's comments vsx_provisioning_tool was also improved in some scenarios.

JackOtero
Explorer

Thanks for your answers , but the most anticipated function and surely by many clients who changed their environment to VSX is the function of internet channel balancing. At this time if an internet channel goes down I have to change the default routes manually

Chris_Atkinson
Employee Employee
Employee

@JackOtero Many customers with VSX use dynamic routing on their upstream devices as best practice.

Where static routing is used running HSRP/VRRP between the neighbour routers allows for a common next hop gateway.

All that being said I will enquire internally regarding your requirement.

Magnus-Holmberg
Advisor
Advisor

Anything new regarding vsx api Or websmart console?

Naor_Nassi
Employee
Employee

@Magnus-Holmberg 

WEB SmartConsoel:

  • task manager (currently, without task details)
  • UI Improvements
  • Editor Drag & Drop
  • Rulebase context menu (Negate, sections operations,
  • disable a rule, switch to none/any, select existing shared inline layers)
  • support address range editor

VSX API - there is nothing new in R81.20

JackOtero
Explorer

A major enhancement for VSX, support for ISP redundancy,

¿Are there plans that this will ever be supported?

Chris_Atkinson
Employee Employee
Employee

@JackOtero If ISP redundancy on VSX is critical for you please discuss an RFE with your local SE.

Krishnan
Contributor

Hi,

What about that SD-WAN ? When will it be enabled ?

shlomip
Employee Alumnus
Employee Alumnus

Hi @Krishnan .

Please see this post to get an answer to your question as well as more information about R81.20

 

Shlomi

Garrett_DirSec
Advisor

Hello -- glad to see  SmartWorkflow redux make it into R81.20 EA release. 

From the related checkmatest thread on SmartWorkflow, how does potential EA customer "play around" with new Smartworkflow implementation before they commit? 

Can someone post some screenshots?    Will it be functional in "demo version" of R81.20 EA SmartConsole?

Any insight would be appreciated. 

Also, has it been decided if SmartWorkflow will be free or licensed feature (ie. $$$)?  

thanks -GA

reference great insight form @Tomer_Noy :

Will SmartWorkflow Come Back?

skandshus
Advisor
Advisor

I see web smartconsole mentioned.. is that a new thing?

Garrett_DirSec
Advisor

@skandshus 

yes.  first iteration was R81 web version of logging via smartview  (ie.  browse to your smartcenter with a /smartview ).

I haven't seen it yet, but R81.10 (and .20) include policy and logging in web app.  (ie.  browse to your smartcenter with a /smartconsole ).

 

Tomer_Noy
Employee
Employee

Thanks for the question on Workflow @Garrett_DirSec 

Workflow will indeed be part of R81.20. 

The easiest and immediate way to experience the feature is to join this week's R&D roundtables at Europe CPX. We have a table in the "Quantum area => R8x new features" with the R&D team that developed it. They will demo it and answer direct questions.

You will also be able to see it in Demo Mode, but usually we release Demo Mode in advanced stages of public EA, so that will take a bit longer.

Regarding the question on license/cost, after discussion with PM we've decided to make the feature free & available to all customers without an extra license! We're really excited about Workflow and hope that it will be beneficial to as many admins as possible 🙂

Garrett_DirSec
Advisor

hello @Tomer_Noy   sincere thanks for the update with insight and details.     enjoy the ongoing CPX events. 

skandshus
Advisor
Advisor

@Garrett_DirSec 

 

well thats propably a smart move.. considering how slow the "application is" i feel like im navigating in the 1990's

Labels