This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

R82.20 EA Program | Production

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Naor_Nassi
Employee
Employee
5 11 3,050
‎2026-02-19 12:47 PM

8220_Banner_EA.jpg

 

R82.20 is a major leap forward in security, networking, performance, and operational
efficiency across Threat Prevention, Security Gateways, VPN, Hybrid Mesh, and Security
Management (Smart-1). This release brings broad IPv6 readiness, deep SASE integration,
improved clustering and routing scalability, and enhanced management capabilities, making it
one of the most substantial upgrades in recent versions.

 

FedRAMP-authorized mode
 New optional FedRAMP mode for Security Gateways directs cloud-dependent security
blades to use FedRAMP-hosted and authorized services.


Higher Availability, Predictability & Resilience
R82.20 significantly improves system resilience and traffic continuity:


 - Critical State Detection proactively identifies memory, CPU, disk, and congestion
issues.

 - ElasticXL gains MACsec-encrypted synchronization and per VS clustering logic,
ensuring multitenant environments remain stable and isolated.

- VSX hardware acceleration now supports high-speed 40/100GbE and and
10/250GbEcards for line-rate throughput.


A More Secure & Modern Infrastructure
R82.20 delivers full-stack IPv6 expansion across Threat Prevention, ThreatCloud AI, DNS
security, VPN, Identity Awareness, VoIP, Dynamic Routing, and Gateway management.

This enables confident operations in modern dual-stack or IPv6-only networks without
compromising visibility, threat prevention, or operational control.


Security engines receive strong upgrades:


- DNS Trap and SNORT 3.x now support IPv6 and modern rule syntax for enhanced
threat detection.
- Cisco SGT enforcement adds granular zero-trust network segmentation.


Faster, More Scalable Networking
R82.20 introduces the largest routing and VPN upgrade set to date for higher application
performance and resilience, and operational simplicity:

 

 

 

Enrollment | Production EA

Early Availability Production Programs let you experience and participate in shaping Check Point products by test driving pre-release versions and providing detailed feedback.

Following the enrollment survey submission, we will contact you in order to review the details, answer questions and agree on the process.

Enroll Now

For more EA program you can visit our new SK here: Check Point Early Availability (EA) Programs - [sk183058]

This page provides comprehensive information about Check Point ‘Ongoing’ and ‘Upcoming’ EA programs, as well as the onboarding and support process.

Additional questions? contact us@ DL-Early_Availability@checkpoint.com 

 

Threat Prevention

Threat Prevention Blades

  • SNORT 3.x rules syntax is now supported in IoC feeds. This increases coverage of
    supported SNORT rules and enables compatibility with the latest threat detection
    content.
  • DNS Trap now supports IPv6 connections, enabling DNS-based threat prevention
    capabilities in IPv6 environments.

HTTPS Inspection

  • New TLS Inspection Block Page – When HTTPS Inspection blocks a TLS connection
    because of server certificate issues (revoked, expired, or untrusted), a notification page
    explaining the reason for the block is now displayed

Security Gateway

Identity Awareness

  • Security Gateways now support Cisco SGT (TrustSec) tagged traffic for pass-through
    and identity enforcement. Access Role objects can now match a specific Cisco SGT for
    access control directly from the network traffic.


Security Gateway Enhancements

  • Introducing FedRAMP mode for Security Gateways. This new mode directs cloud-dependent services to use FedRAMP-hosted and authorized services. The supported
    services are: URL Filtering, Application Control, Anti-Bot, Anti-Virus, Zero Phishing, and
    Threat Emulation.
    Note: Threat Extraction and IPS do not rely on cloud services and are therefore
    compliant by default.


Security Gateway Operations

  • Maestro, ElasticXL, and ClusterXL clustering health status have been refined to include
    critical states such as high memory, low disk space, or packet drops because of
    congestion. This will trigger an alert that is visible in SmartConsole, CPView, and AIOps.


Gaia OS

  • Gaia OS introduces Unified Configuration, expanding and streamlining advanced
    configuration management across the platform and related products, and deprecating
    the use of Expert mode. Advanced system and feature configurations, including kernel
    parameters and cross-feature settings, are now managed using the Gaia Portal, Gaia
    Clish, or the Gaia Rest API, providing consistent access.
    A new System Configuration tab in the Gaia Portal delivers a simplified, efficient
    experience for managing commonly used settings across multiple features. All
    configuration changes are processed through a unified API framework, ensuring
    configuration persistence across reboots and upgrades, with full auditability and
    traceability.
  • Quantum Force 3900 Appliances now include integrated switching capabilities. LAN
    ports can be segmented for switching groups, improving performance for traffic within
    the same segment while maintaining full firewall inspection for traffic across segments or
    to external networks.


Dynamic Routing

OSPFv3 enhancement:

  • OSPFv3 authentication using ESP, providing secure routing exchanges and protection
    against unauthorized route injection.

BGP enhancements:

  • BGP support over multiple Virtual Tunnel Interfaces (VTIs) with the same local address,
    enabling flexible routing across multiple tunnels.
  • AS-path prepend on import, allowing control of inbound traffic by influencing path selection.
  • BGP peer groups with auto-discovery, simplifying configuration for large-scale BGP deployments.

General routing enhancements:

  • Wildcard mask support for more flexible route matching and filtering.
  • IGMP and MLD blocked groups, preventing joins to restricted multicast groups and improving multicast security.
  • Route-map configuration via WebUI, improving usability and simplifying the configuration of the routemaps feature.
  • Monitoring of NAT Pools.
  • Monitoring of IPv4 static multicast routes (static mroutes).

Cluster and Scalability

  • ElasticXL synchronization traffic is now encrypted using L2 (MACsec) encryption. This
    protects all traffic between ElasticXL Cluster Members.
  • In VSNext mode, each Virtual Gateway now has an independent clustering state. A
    "Down" cluster state on a specific Virtual Gateway does not affect the entire cluster
    member state, so other Virtual Gateways on the affected member will remain "Active" on
    that cluster member and will not failover.

 

 

VPN

  • Remote Access VPN now offers enhanced policy management through the new Remote
    Access VPN Community. This enables differentiated access policies for various user
    groups, streamlined configuration, and a more intuitive management experience for
    large and complex organizations.
  • Carrier Grade NAT (CG-NAT) with auto-discovery VPN now enables direct VPN tunnels
    between gateways behind CG-NAT, using broker-assisted discovery to create tunnels
    with dynamic IP addresses.
  • Introducing SmartConsole single-click IPSec tunnel setup between Security Gateway
    and Check Point SASE. Providing best practices for both full mesh and hub-and-spoke
    (star) topologies and supporting policy-based and route-based modes.

IPv6 Enhancements

Security Gateway

  • Suspicious Activity Monitoring (SAM) has been redesigned and integrated with the Gaia
    API, enabling dynamic, API-driven configuration similar to Dynamic Policy Layers. This enhancement includes full IPv6 support alongside the existing SAM commands.
  • You can now configure the Security Gateway management interface for IPv4, dual-stack
    (both IPv4 and IPv6), or single-stack IPv6-only operation during pre-installation or in the First Time Wizard, supporting single-stack IPv6 deployments from initial setup.
  • Added support for IPv6 Dead Peer Detection (DPD)-based Tunnel Monitoring for Permanent Tunnels and IPv6 DPD-based Multiple Entry Point (MEP) topology. These
    enhancements enable reliable VPN resilience and liveness checks over IPv6, including mixed IPv4/IPv6 tunnels in redundant and multi-entry point deployments.
  • Identity enforcement (in Identity Awareness) IPv6 support using Identity Agent was
    extended with support for multiple address types, including link-local, Global Unicast
    Address (GUA), and Unique Local Address (ULA). It also fully supports Privacy Extension (RFC-8981), ensuring consistent identity-based policies even as IPv6 addresses change dynamically.
  • Added support for Route-based VPN over IPv6. This enables dynamic routing protocols
    and VTI-based VPN tunnels in IPv6 environments for improved flexibility and
    compatibility.

Dynamic Routing

  • Equal-Cost Multi-Path (ECMP) for static and dynamic routing protocols
  • Policy-Based Routing (PBR) now supports IPv6. This enables administrators to define
    custom routing decisions for IPv6 traffic based on source, destination, or other packet attributes.
  • Static multicast routes (static mroutes)
  • Multicast Listener Discover (MLD) group limit, protecting against DoS attacks by preventing excessive group joins
  • MLDv1 SSM mapping, bridging legacy MLDv1 hosts to Source-Specific Multicast (SSM)
  • IPv6 PIM Embedded RP eliminating the need for external RP-mapping mechanisms and
    simplifying IPv6 PIM-SM multicast deployment

VoIP

  • Added support for SIP traffic over IPv6.

Traditional VSX

  • Traditional VSX, GRE, and IPSec can now be hardware-accelerated when using
    40/100GbE and 10/250GbE cards, supporting line-rate throughput and low latency.


Tools

Improved performance of FW Monitor troubleshooting utility on Quantum Force 19100,
19200, 29100, and 29200 Appliances. The new flag provides exclusion filtering
capabilities, such as exclusion expression.

Hybrid Mesh Network

Management and Smart-1 Cloud

  • Introducing Unified Management of Internet Access policies for Security Gateways and Check Point SASE environments. You can now manage SASE Internet Access directly from SmartConsole, providing a single point of policy management across your hybrid
    infrastructure.

Smart-1

Upgrade

  • Introducing a new background upgrade capability designed to significantly minimize downtime to a few minutes during Management Server upgrades. The "Prepare Upgrade" phase runs seamlessly in the background, allowing administrators to continue
    working in SmartConsole, Web SmartConsole, or API without disruption. The "Complete Upgrade" phase then finalizes the changes, significantly reducing downtime compared to traditional upgrade methods.

Logging and Monitoring

  • In this release, Log Exporter can be configured to export only the first and/or the latest update per event or connection. This enables more efficient log processing by external
    SIEM (Security Information and Event Management) tools.
  • Log Exporter can now be configured via the Management API. This enables you to automate Log Exporter deployment and configuration within your infrastructure-as-code workflows.
  • Log Exporter can now be configured to send logs directly to AWS S3 buckets. This
    enables seamless integration with your existing cloud storage and log analytics
    workflows.
11 Comments
Labels