Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81 EA Program | Production

Tsvika_Akerman
Employee
Employee
25 40 29.8K

cover.JPG

 

 

 

 

 

R81 is the industry’s most advanced threat prevention and security management software for the data center, cloud, mobile, endpoint and IoT environment. R81 is equipped with every Quantum Security GatewayTM and features the highest level of security from SandBlast Zero-day protection to extend coverage for all products and protocols. R81 has some of the biggest innovations and features to arrive on the SmartConsole: The new Infinity Threat Prevention policy profiles for out-of-the-box security policies, the new MITRE ATT&CK View in SmartEvent and an all new Mobile Access Portal with a new design, improved user experience and full support for modern browsers. R81 is recognized for superior access control and policy organized in layers and sub-layers, single pane of  glass management and provides the ability for admins to work in conjunction with granular multi-tasking features – all of which is unique to Check Point.

Enrollment | Public EA:

All documentation/downloads is available on UserCenter when you register at the following link: https://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default... 

Upgrade from Public EA to GA release is not supported.

Enrollment | Production EA

Early Availability Production Programs let you experience and participate in shaping Check Point products by test driving pre-release versions and providing detailed feedback. 

In order to enroll to the R81 Production EA Program please fill in:  online enrollment survey

Following the enrollment survey submission, we will contact you in order to review the details, answer questions and agree on the process. 

Additional questions? contact us@ EA_SUPPORT@checkpoint.com

 

New in this release

Infinity Threat Prevention

Infinity Threat Prevention is a new Threat Prevention management model, which uses an intelligent cyber security policy from the cloud to provide:

  • Out of the box policy profiles based on business and IT security needs.
  • Easy selection and assignment of a policy profile tailored to different needs.
  • Automatically updated policy profiles with the latest technologies and recommendations that protects from evolving cyber security threats.
  • Zero daily maintenance of policies and protections, without compromising on security or Connectivity  

Administrators can still perform manual changes to override Check Point’s recommended policies and profiles in a granular way to best serve their organization's need.

Threat Prevention

  • Custom intelligence feeds can now be managed through SmartConsole. Add, delete or modify feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.
  • Threat Extraction now works with ICAP servers in addition to Threat Emulation and Anti-Virus.

Security Gateway and Gaia

Access Control

  • Azure Active Directory support in Identity Awareness - Use Azure AD users and groups for authentication and authorization using Identity Awareness Access Role picker.
  • Generic Data Center - A new type of Data Center object provides the ability to enforce access to or from IP addresses defined in files located in external web servers. Objects created based on these files can be used in the Source and Destination columns of Access Control, NAT and Threat Prevention rulebases. The enforced IP addresses are automatically updated without the need for policy installation.

NAT

  • Support for Domain objects, updatable objects, security zones, access roles and data center objects in the NAT rule base.
  • Hit count for NAT rules.

VSX

VSX now supports:

  • Virtual Router configuration in VSX VSLS mode.
  • Multi-Bridge configuration in VSX VSLS mode.
  • Configuration of bridge interfaces on standard Virtual System in VSX.
  • Blades support with bridge interfaces in VSX.
  • Configuration of VSX Gateway and VSX Cluster objects using Management REST APIs.
  • Dynamic Routing VPN using Virtual Tunnel Interface (VTI) in VSX mode.
  • DNS server configuration independently per Virtual System in VSX.
  • Proxy server configuration independently per Virtual System in VSX.
  • QoS configuration independently per Virtual System in VSX.
  • Downgrade of VSX management objects to previous releases using the VSX_util downgrade tool.

Acceleration

  • The acceleration module now automatically adjusts the number of CoreXL SNDs, Firewall instances and the Multi-Queue configuration based on the current traffic load by default.
  • Improved handling of IOCs for indicators based on source IPv4 and IPv6 addresses.

Mobile Access

  • A fresh and modern user interface.
  • Improved user experience:
    • Redesigned scan results.
    • The SNX connection pop-up is obsolete.
    • More accessible to non-English speakers.
    • Ability to launch all applications in separate tabs without losing the main page window.
    • One click sign-out.
  • Simplified customization capabilities to easily utilize a customer's brand identity.
  • Full support for mainstream browsers running on all major platforms.

Scheduled Gaia Snapshots

New Gaia Scheduled Snapshot option lets you automatically back up and export a server's configuration.

Gaia OS

Support for additional network interface:

  • gVNIC (Google Compute Engine virtual Network Interface).
  • Support for additional tunneling protocols:
  • Virtual Extensible LAN (VXLAN).
  • Generic Routing Encapsulation (GRE).

Gaia REST API

  • First time wizard configuration allows setting the machine as a
  • Gateway/Management/Multi-Domain/Log Server using API.
  • Control of IPv6 status.

A new management API allows running API commands on a Security Gateway from the Security Management Server.

Advanced Routing

  • Enhancements for additional Dynamic Routing features:
    • OSPFv3 AH authentication for OSPFv3 protocol security.
    • IPv6 route aggregation - Reduces the number of prefixes advertised to neighbor routers improving performance and scaling.
    • IPv4 NAT-pool routes - Configuring and redistributing NAT-pool routes to routing protocols.

Routing Information Protocol (RIP) route sync.

CloudGuard IaaS

CloudGuard Controller

  • Data Center Query Objects - A simplified way to build queries using Data Center Objects to represent multiple Data Centers in the Security Policy. This provides easier and more efficient separation of  responsibilities for managing Data Centers.
  • Kubernetes Data Center – Added CloudGuard Controller support for Kubernetes Clusters. Administrators can now create a Kubernetes-aware security policy for Kubernetes North-South traffic.
  • CloudGuard Controller now uses the system proxy for connections to all Data Centers.
  • A new object category in SmartConsole's object explorer called "Cloud" that aggregates all Data Centers, Data Center objects and Data Center queries into one.

CloudGuard Data Centers Integration of CloudGuard IaaS for East-West deployments using VMware NSX-T.

 

Security Management

Multi-Domain Server

  • Cross-Domain Management Server Search lets you search for objects across multiple Domain Management Server databases.
  • High Availability for Domain Management Server using Security Management Server. A Security Management Server can operate as a standby management Domain Management Server.
  • Configure a dedicated Log Server and a dedicated SmartEvent server for an individual Domain in a Multi-Domain environment.

Policy Installation

Concurrent Security Policy installation - One administrator or more can run several policy installations on different gateways at the same time.

SmartConsole

  • Support for multiple TACACS servers to utilize redundancy for administrators authenticating to SmartConsole.
  • Central Deployment using SmartConsole:
    • Allows upgrade between major versions.
    • VSX upgrade.
    • Use offline installation packages, the Security Gateway does not have to be connected to the internet. Import the installation packages to the Security Management Server and distribute to targets.
  • Diff report – generate a report that lists the differences between two revisions or lists the changes performed during a private session.

SmartEvent

A new MITRE ATT&CK view provides the ability to investigate security issues according to the MITRE defense models, and extract immediate action items based on the mitigation flow.

Management Server Upgrade

Significant Improvement in the upgrade process for Security Management Servers upgrading from R80.20 and higher to R81.

 Logging and Monitoring

  • New API for log queries provides the ability to fetch logs through API. Use a single API
  • management command to query for logs or statistics.
  • Significant improvement in log indexing, queries and SmartEvent views and reports.
  • Export logs using a timestamp of milliseconds, to more easily and efficiently construct a  chain of events.
  • Log attachment API provides an automated way to fetch log achievements using Log Exporter, or API for logs.

Endpoint Security

  •  Endpoint Web Management - a new Web-based management interface for Endpoint Threat Prevention components.
  • Communication with management services remains on port 443 instead of port 4434 when the Endpoint Management component is activated.

Endpoint Policy Management

  • Anti-Malware support for shared signature locations to support non-persistent VDI environments.
  • Application Control policy changes (multiple applications per EXE, terminate on execution, WSL, Developer protection)
  • Compliance integration with Windows Server Update Serviced (WSUS).
  • Full Disk Encryption support for custom HD images.
  • TACACS authentication for Web Remote Help (WebRH) .

Remote Access VPN

  • Significant performance improvements for Remote Access VPN clients using Visitor Mode.
40 Comments
PhoneBoy
Admin
Admin

Lots of great stuff here!

RickHoppe
Advisor

R81 promises a lot of good stuff. Will there be a public EA too?

Magnus-Holmberg
Advisor

Awesome things for MSP 🙂

PhoneBoy
Admin
Admin

Public EA will likely be at a later stage @MTV_RickH .

 

Marcel_Gramalla
Advisor

Are there any comments on TLS 1.3 or updatable SmartConsole? Would be really disappointing if those features (especially TLS 1.3) aren't in this major release.

FedericoMeiners
Advisor

Great news!!!

But still no possibilities to add more than one Remote Access community 😭

_Val_
Admin
Admin

Hooray, the future is here! Almost 🙂

Nadav_Feigenbla
Employee Alumnus
Employee Alumnus

Hi @Marcel_Gramalla, TLS1.3 inspection feature can be enabled based on R81 image.
We are looking for EA customers and hence relevant candidates can be of course enrolled as described above.

Contact me directly if you need any further clarifications.

Regards, 
Nadav

 

 

Arne_Boettger
Collaborator

Hello,

will R81 finally bring back support for IPv6 on MDS?

kind regards,

Arne

Magnus-Holmberg
Advisor

We would like to see

- Possibility to change name of CMA and other fields that has currently been unable to change.

- Smart-workflow to come back 🙂

- netflow per vs

- captivity portal on the identity collector.

PhoneBoy
Admin
Admin

Hey @Magnus-Holmberg :

On SmartWorkflow, you can already get the four eyes review in R80.40.
See this thread: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Use-of-MGMT-CLI-4-eyes-review/m-p...
Other elements could be implemented with custom SmartTasks, some of which have been posted to CheckMates. 

Magnus-Holmberg
Advisor

in this specific case regarding smartworkflow is the change reports and diff between revisions I do miss the most.

Chris_Atkinson
Employee Employee
Employee
HeikoAnkenbrand
Champion Champion
Champion

😀👍

genisis__
Leader Leader
Leader

I hope that Checkpoint does not rush this, and ensures that 99% of this is bug free, and yes some really great features so it looks exciting.

PhoneBoy
Admin
Admin

Generally we release by quality @genisis__.
One of the ways we ensure quality releases is the Early Availability program.
The more participants we have in the program (particularly Production candidates), the better.

Magnus-Holmberg
Advisor

Is API for VSX clusters planned for this release?
really missing the possibility to add routes and interfaces via API in VSX.
vsx provisioning tool is great but an api would be better.

PhoneBoy
Admin
Admin

There does appear to be one VSX specific API in this release from the early docs I saw but unfamiliar with the precise details of what it would allow you to do.

HristoGrigorov

Any chance to have Infinity Threat Prevention available for R80.40 as well ? 

einats
Employee
Employee

Hi 

 

Yes, it is available on top of R80.40 for EA.

 See SK163593 - Infinity Threat Prevention Management.

Please email INFINITY_THREAT_PREVENTION@checkpoint.com and we will assist you with installation.

 

Best regards,

Einat 

 

Arne_Boettger
Collaborator

Hello,

are there any details available regarding the "Support for additional network interface", especially VXLAN would be interesting for me.

kind regards, Arne

PhoneBoy
Admin
Admin

Mostly that you can configure these interface types in Gaia OS and the Security Gateway can enforce Access/Threat Prevention on those interface types.
That's my assumption @Arne_Boettger but if you have specific questions ask away 🙂

genisis__
Leader Leader
Leader

Is it possible to integrate a cosmetic feature?  If you have section headings, it would be nice to collapse and expand these using a + or - button.  If you have a large rule base and are using section heading its a really useful thing to do to find the area you need to work on quickly.

Also not sure if this has been previously asked, but can we now import a R80.x SMS into a R80.x MDS?  At the moment I I don't believe this is possible using R80.30, I know you can migrate a R77.x SMS into a R80.x CMA.

Chris_Atkinson
Employee Employee
Employee

Are you referring to a hotkey or something else, otherwise we have an arrow on the left hand side of the section header for this today.

section control.png

For details regarding supported domain migration scenarios please see: sk156072: Domain Migration in R80.x

Yip_KokFong
Participant

Is this available for all user regardless enterprise or SMB?

Thank you.

PhoneBoy
Admin
Admin

@Yip_KokFong this is for regular Enterprise gateways (not SMB).
I suspect there will be an R81-type release for SMB at some point in the future.

bcibnkcpfw
Participant

What about web smartconsole for management? Will be included or still windows dependency?

PhoneBoy
Admin
Admin

Can't say if this will be ready for R81 @bcibnkcpfw and even so, it would only handle a subset of the functionality that SmartConsole provides.

 

Jeff_Gao
Advisor

No SD-WAN support?

KonstantinosT
Participant

Hello,

Many new things and it sounds promising. 

Some things that I'd like to see in the upcoming release.

VRF support in Gaia OS.

Access Roles for Specific VPN Communities (e.g. Site-to-Site VPN). Currently it's supported only for Remote Access

 

We are using R80.40 and we also participate in the EA for Infinity Threat Prevention for our internal firewall cluster (Cloudguard IaaS). So far, it's been a positive experience and I'd encourage other customers to participate in Infinity Threat Prevention EA. 

 

bmo12
Explorer

I would love to check it out !

Do you have documentation available ?

Shirleyh
Employee Alumnus
Employee Alumnus

Hi,

documentation is available in user center:

Shirleyh_0-1598446603686.png

 

PhoneBoy
Admin
Admin
Martin_Valenta
Advisor

Currently getting this, when trying to download anything with R81, but it looks like when getting R65 version..

 

 
 

Annotation 2020-09-11 135356.png

_Val_
Admin
Admin

@Martin_Valenta, you need to start from here: https://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default...

The site you have posted must be coming from Internet Archive 🙂

Martin_Valenta
Advisor

i was going over that link and after clicking https://downloads.checkpoint.com/dc/search.htm?appID=CPEA-EVAL-R81 and accepting terms i got redirected to archive 🙂

_Val_
Admin
Admin

@Martin_Valenta Weird. This is what I get, after registering one of my accounts to EA program and clicking that link you have provided:

Screenshot 2020-09-11 at 16.02.44.png

Try a different browser, cookies deletion, cache cleaned. The site you are showing, it is not even up 🙂

Jeff_Gao
Advisor

I look forward to adding the following functions:

  • SD-WAN
  • Login smartconsole integration LDAP
  • QOS one policy per ip rate limit when i add source with network segment

Ha..ha...Welcome others to add

Alexander_Wilke
Advisor

What about Scalable Plattform (64000). Will this be in the same R81 release or will there be a separete R81SP Release?

What is the next release after R80.20SP ?

Labels